Legal News

Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted April 26, 2022 by HIPAA Journal

A preliminary settlement has recently been approved by a California Federal court to resolve a consolidated class action lawsuit against Solara Medical Supplies.

Solara Medical Supplies is a Chula Vista, California-based direct-to-consumer provider of medical devices and disposable medical products and a registered pharmacy. On June 28, 2019, Solara Medical identified suspicious activity in an employee email account. The subsequent investigation confirmed unauthorized individuals had gained access to multiple Office 365 email accounts between April 2, 2019, and June 20, 2019, as a result of employees responding to phishing emails.

The forensic investigation confirmed that the sensitive information of 114,007 of its customers had been exposed and potentially stolen, including names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and financial information. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.

Four class action lawsuits were filed on behalf of the affected customers, and those lawsuits were consolidated into a single lawsuit. Solara Medical proposed the settlement to resolve the lawsuit to avoid ongoing legal costs; however, denied any wrongdoing. The settlement dismisses the lawsuit with prejudice and does not constitute any admission of fault, wrongdoing, or liability.

Under the terms of the settlement, Solar Medical has agreed to pay $5,060,000 to cover claims from the plaintiffs and class members and will take steps to improve data security to prevent further security breaches. The six plaintiffs named in the lawsuits will be paid $4,000 each, and all class members who file timely claims will receive $100, plus a pro rata payment of up to $1,000 if any funds remain in the fund after the $100 cash payments have been made. The settlement amount includes $2.3 million in attorneys’ fees. If any funds remain, they will be donated to the Juvenile Diabetes Research Foundation.

For the next two years, Solara Medical will undergo a SOC 2 Type 2 audit, which will be repeated until it is passed, engage an independent third party to perform a HIPAA IT assessment, conduct at least one cybersecurity incident response test a year, undergo third-party phishing and external-facing vulnerability tests at least twice a year. Solara Medical will also implement a security information event and management (SIEM) tool with a 400-day lookback on activity logs. Improved versions of the remedial actions or the same actions will be conducted to new industry standards for the subsequent three years.

The post Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

SuperCare Health Sued Over 318,000-Record Data Breach

Posted April 15, 2022 by HIPAA Journal

A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, over a cyberattack and data breach that was reported to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and potential theft of the protected health information of 318,400 patients, including names, addresses, birth dates patient account numbers, medical record numbers, health insurance information, testing, diagnostic, treatment, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed.

SuperCare Health said unauthorized individuals had access to its network between July 23, 2021, to July 27, 2021, but did not disclose the nature of the cyberattack. It took SuperCare Health until February 4, 2022, to determine that the files potentially accessed in the attack contained patients’ PHI. Notification letters were sent on March 25, 2022, and according to the notice provided to the California Attorney General, credit monitoring and identity theft protection services were offered to affected individuals.

It is becoming more common for lawsuits to be filed over healthcare data breaches. According to a recently published report from the law firm BakerHostetler, lawsuits are often now filed over relatively small healthcare data breaches and it is common for multiple lawsuits to be filed. In 2021, the law firm was involved in 23 incidents, and 58 lawsuits were filed in response to those breaches. 43 of the lawsuits were filed in response to healthcare data breaches, and 11 of the lawsuits were filed for breaches affecting fewer than 700,000 individuals.

The SuperCare Health lawsuit was filed in the United States District Court for the Central District of California on April 12, 2022, two weeks after notification letters were sent to patients. The lawsuit, Vickey Angulo v. SuperCare Health, alleges SuperCare Health had not implemented adequate and reasonable cybersecurity procedures and protocols to secure the personal and protected health information of the plaintiff and members of the class, despite a known risk of cyberattacks and data breaches at healthcare providers, which are at an all-time high. The lawsuit also alleges SuperCare Health failed to adhere to the security guidelines and standards of the National Institute of Standards and Technology, Federal Trade Commission, and Health Insurance Portability and Accountability Act (HIPAA), and violated state laws.

The lawsuit claims SuperCare Health only provided scant details to victims about the nature of the cyberattack and data breach and did not inform patients about the data breach for more than 6 months after it was detected. The plaintiff said she was notified that unauthorized individuals accessed her information, which included her electronic medical records, but was not offered adequate credit monitoring and identity theft protection services or appropriate compensation for the harm caused.

The plaintiff alleges she has suffered actual injury from the data breach, including damage to and diminution of the value of her private information, and a substantial and present, imminent, and impending injury from the increased risk of identity theft and fraud, and maintains that her personal and protected health information is still available to the public, which would make it possible for anyone to use the information for nefarious purposes.

The lawsuit seeks class action certification, a jury trial, an award of damages, reimbursement of out-of-pocket costs, and a lifetime of credit monitoring services, and for SuperCare Health to make improvements to its security systems and submit to future annual security audits.

The post SuperCare Health Sued Over 318,000-Record Data Breach appeared first on HIPAA Journal.

Increase in Class Action Lawsuits Following Healthcare Data Incidents

Posted April 12, 2022 by HIPAA Journal

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector.

Ransomware Attacks Increased in 2021

Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022.

Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the ransom, and in 97% of cases, data was successfully restored after paying the ransom.

Data exfiltration is now the norm in ransomware attacks. 82% of the ransomware attacks handled by BakerHostetler in 2021 included a claim that the attackers had exfiltrated data prior to encrypting files. In 73% of those incidents, evidence of data theft was uncovered, and 81% required notice to be provided to individuals. The average number of notifications was 81,679 and the median number of notifications was 1,002.

The threat of the exposure of stolen data prompted many organizations to pay the ransom. 33% of victims paid the ransom even though they were able to partially restore files from backups and 24% paid even though they had fully restored files from backups.

There was also an increase in business email compromise (BEC) attacks, where phishing and social engineering are used to access organizations’ email accounts, which are then used to trick organizations into making fraudulent payments. While there was an improvement in detection in time to recover transferred funds – 43% compared to 38% in 2020 – there was an increase in the number of organizations that had to provide notifications about the incident to individuals and regulators, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are More Common, Even for Smaller Data Incidents

It is now more common for organizations to face class action lawsuits after data security incidents. While class action lawsuits tended to only be filed for large data incidents, it is now increasingly common for smaller data incidents to also result in lawsuits. In 2021, 23 disclosed data incidents resulted in lawsuits being filed, up from 20 in 2020. 11 of the lawsuits related to data incidents involving the data of fewer than 700,000 individuals, with 3 lawsuits filed in relation to incidents that affected fewer than 8,000 individuals.

BakerHostetler identified a trend in 2021 for multiple class action lawsuits to be filed following a data incident. More than 58 lawsuits were filed related to the 23 incidents, and 43 of those lawsuits were in response to data breaches at healthcare organizations.

“There was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” explained BakerHostetler in the report. “This duplicative litigation trend is increasing the “race to the courthouse” filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

OCR is Requesting Evidence of “Recognized Security Practices”

2021 saw record numbers of data breaches reported by healthcare organizations. 714 incidents were reported to the HHS’ Office for Civil Rights in 2021 compared to 663 in 2020, and more data breaches were referred to the Department of Justice to investigate possible criminal violations than in previous years.

In 2021, there was an amendment made to the HITECH Act to include a HIPAA Safe Harbor for organizations that have adopted recognized security practices for at least 12 months prior to a data breach occurring. BakerHostetler said that out of the 40 OCR investigations of organizations that it worked with, OCR frequently asked about the recognized security practices that had been in place in the 12 months prior to the incident occurring. BakerHostetler strongly recommends organizations examine their security practices and ensure they match the definition of “recognized security practices” detailed in the HITECH amendment, and to consider further investments in cybersecurity to meet that definition if their security practices fall short of what is required.

The post Increase in Class Action Lawsuits Following Healthcare Data Incidents appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted April 7, 2022 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

15-Month Jail Term for Woman Who Stole Over $200,000 Using Stolen Patient Data

Posted March 21, 2022 by HIPAA Journal

A woman has been sentenced to serve 15 months in federal prison for her role in a scheme to defraud patients of a Metairie, LA, medical clinic.

In 2015, three individuals were arrested in connection with the scheme following an investigation by the Jefferson Parish Sheriff’s Office in New Orleans and the U.S. Postal Inspection Service.

Brandon Livas, 37, and Royale Lassai, 32, of New Orleans, LA, both pled guilty to a one-count bill of information with Bank Larceny in July 2019 for their role in the scheme, and in August 2021, Ashley Green, 41, pled guilty to a one-count Bank Larceny Bill of Information.

Green’s cousin, Lassai, was employed as a clerk at an unnamed Metairie, LA, medical clinic where she was provided with access to patient records to complete her work duties. Lassai accessed the medical records of patients without authorization and provided patient information such as names, dates of birth, addresses, and Social Security numbers to her cousin and her cousin’s then-boyfriend Livas. Lassai was reportedly paid with a $1,000 gift card and was provided with around $150 worth of items for stealing the patient data.

Green and Livas used the information to contact the victims’ banks and request debit cards in the victims’ names. The debit cards were sent to Green’s address and were used by Green and Livas to withdraw around $200,000 from victims’ accounts at Capital One and Whitney. The pair also bought merchandise and used the stolen funds to go on vacation. Livas was previously sentenced to serve 15 years in jail for his role in the scheme and Lassai was sentenced to 3 months probation.

In addition to the 15-month jail term, Green is required to serve 3 years of supervised release and has been ordered to pay $205,863 in restitution to the victims.

The post 15-Month Jail Term for Woman Who Stole Over $200,000 Using Stolen Patient Data appeared first on HIPAA Journal.

Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data

Posted March 18, 2022 by HIPAA Journal

Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals.

In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004.

6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained sensitive personal data. Unauthorized individuals had gained access to the property and files stored throughout the facility appeared to have been examined, potentially by individuals looking for sensitive personal data. At this stage, it is unclear how many former patients of the facility have had their sensitive data exposed and potentially stolen. Files left unsecured at the property included a range of sensitive employee and patient information, including names, contact information, Social Security numbers, driver’s license numbers, financial account information, medical information, and biometric data.

According to the lawsuit, which was filed in Sharp County Circuit Court, the investigation uncovered no evidence to suggest the hospital took any reasonable measures to permanently destroy or secure sensitive files. The failure to ensure the confidentiality of patient data is a violation of the Health Insurance Portability and Accountability Act (HIPAA); however, as is often the case, legal action is being taken for equivalent violations of state laws. The lawsuit alleges the defendants were in violation of the Arkansas Personal Information Protection Act (PIPA) and the Arkansas Deceptive Trade Practices Act (ADTPA). Country Medical Services and the owners now face civil penalties of up to $10,000 for each violation of PIPA and the ADTPA.

“Consumers must be able to trust their healthcare providers and employers to protect their personal information,” said AG Rutledge. “Eastern Ozarks Regional Health System betrayed that trust and left patients and employees vulnerable to scams and identity theft. I am holding the hospital and its owners accountable.”

The post Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data appeared first on HIPAA Journal.

DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty

Posted March 16, 2022 by HIPAA Journal

The U.S. Department of Justice (DOJ) has announced a settlement has been reached with the Cape Canaveral, FL-based healthcare services contractor, Comprehensive Health Services (CHS), to resolve alleged False Claims Act violations.

This is the first settlement to be reached under the DOJ Civil Cyber Fraud Initiative, which was launched in 2021. The Civil Cyber Fraud Initiative was launched to pursue cases against government contractors that knowingly used deficient cybersecurity products and services which put information systems at risk, as well as failures to report cybersecurity incidents.

CHS and its subsidiaries had contracts with the U.S. Department of State and the U.S. Air Force to operate medical services at U.S. military facilities in Afghanistan and Iraq. Two actions were filed under the whistleblower provisions of the False Claims Act that alleged CHS received payment for operating those medical facilities but failed to operate them in a manner consistent with U.S. standards.

CHS was alleged to have failed to maintain appropriate staffing levels, allowed unqualified individuals to perform surgery, pharmacy, and radiology services, and claimed that some of the controlled substances provided to patients at the medical facilities had been approved by the U.S. Food and Drug Administration or European Medicines Agency, when those substances had been imported from South Africa and had not been approved. CHS was accused of bidding on the contracts to run the medical facilities when it was aware that it was unable to meet its obligations to do so.

Between 2012 and 2019, CHS submitted claims for reimbursement of $486,000 under its contract but did not disclose that it had failed to consistently store medical records in a secure, HIPAA-compliant electronic medical record (EMR) system. CHS staff scanned medical records for the EMR system but saved scanned copies of some of the records on an internal network drive, which could be accessed by non-clinical staff, including Iraqi nationals employed at the site. Some staff members expressed concern about the insecure storage of private medical information, but CHS took no action to address the issue and failed to ensure medical records were only stored in the EMR system. CHS was also alleged to have been made aware of several HIPAA breaches but failed to disclose them.

CHS agreed to settle the case with no admission of liability and agreed to pay a financial penalty of $930,000 to resolve the alleged False Claims Act violations.

“This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”

The post DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty appeared first on HIPAA Journal.

Logan Health Facing Class Action Lawsuit Over Data Breach

Posted March 11, 2022 by HIPAA Journal

Legal action is being taken against Logan Health and subsidiary, sister, and related entities of Logan Health over a data breach that occurred in 2021 and affected 213,543 Logan Health Medical Center patients.

The class action lawsuit was filed in the U.S. District Court for the District of Montana Great Falls Division by law firm Heenan & Cook on behalf of plaintiff Allison Smeltz and all similarly affected individuals over the alleged failure of the health system to protect the plaintiff’s and class members’ sensitive personal information.

The data breach in question was reported by Logan Health in February 2022, with its investigation confirming unauthorized individuals had access to its system between November 18, 2021, and November 22, 2021. Hackers gained access to a single file server housing files that contained patients’ protected health information such as names, contact information, insurance claim information, date(s) of service, medical bill account number, and health insurance information. Logan Health said it had found no evidence of misuse of patient data, offered affected individuals complimentary credit monitoring and identity protection services, and said it is implementing additional measures to prevent similar data breaches.

According to the lawsuit, the cyberattack and data breach were due to the failure of Logan Health to “implement adequate and reasonable training of employees and/or procedures and protocols,” and claims Logan Health and the other defendants should have been aware of the value of protected health information to hackers and the risk of data breaches, given the number of breaches now being reported and the warnings from Federal agencies to the healthcare industry.

The lawsuit points out that data breach was one of several to have affected Logan Health. Logan Health reported another breach in January 2021 that affected 2,081 Montanans, and another in 2019 that affected 126.805 Montanans when Logan Health was operating as Kalispell Regional Healthcare.

The lawsuit claims that as a direct result of the failure to prevent the data breach, victims have suffered and will continue to suffer damages, including the compromise, publication, theft and/or unauthorized use of their PII/PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, and the continued risk to their PII/PHI from the failure of Logan Health to implement appropriate safeguards to protect against data breaches.

The lawsuit cites several causes of action, including negligence, invasion of privacy, breach of implied contract, unjust enrichment, and violations of the Montana Consumer Protection Act, and alleges Logan Health had failed to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit seeks class action status, a jury trial, injunctive relief, compensatory, statutory, and punitive damages, and attorneys’ fees.

The post Logan Health Facing Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach

Posted February 22, 2022 by HIPAA Journal

Seattle, WA-based Sea Mar Community Health Centers is facing a class action lawsuit over a cyberattack in which the protected health information of 688,000 individuals was compromised. The breach came to light in June 2021 when files stolen in the attack were posted on the Marketo dark web leak site.

Databreaches.net spotted the leaked data on the Marketo data leak site in June 2021 and contacted Sea Mar. In October 2021, Sea Mar sent notification letters to affected individuals and explained that the hackers gained access to its network between December 2020 and March 2021 and exfiltrated sensitive data including names, addresses, Social Security numbers, dates of birth, and health information. The data breach was reported to the HHS’ Office for Civil Rights the same month as affecting 688,000 current and former patients. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.

According to Databreaches.net, the threat group behind the attack claimed to have stolen 3TB of data from Sea Mar. There may also have been a further disclosure of the stolen data by a threat group known as Snatch Team. Databreaches.net found multiple references to Sea Mar in a 22TB set of data, as did a researcher at Intel. In addition to being posted on dark web leak sites, Databreaches.net said the stolen data had also been posted on at least two clear net leak sites – Those operated by Marketo and Snatch Team.

The latest lawsuit – Hall v. Sea Mar Community Health Centers – was filed in Washington state superior court on behalf of former Sea Mar patient Alan Hall and “more than 650,000” others affected by the data breach.

The lawsuit alleges Sea Mar was negligent for failing to implement adequate and reasonable cybersecurity procedures and protocols to protect patient and employee information and maintained sensitive patient data “in a reckless manner.” Sea Mar is alleged to have failed to disclose it did not have adequately robust computer systems and security practices and was not properly monitoring its network for intrusions, which allowed the threat actors to access its systems for four months. The lawsuit also alleges Sea Mar delayed issuing breach notifications, which were sent around 10 months after the initial intrusion and 4 months after the data breach was discovered.

The lawsuit alleges the plaintiff and class members are exposed to a present and imminent risk of fraud and identity theft because their sensitive data is in the hands of data thieves and has been made available to other cybercriminals through the leaking of the data on the dark web.

The plaintiffs and class members are alleged to have suffered injury and ascertainable losses due to the threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, the value of their time spent mitigating the effects of the cyberattack and data breach, and loss of value of their personal information.

The lawsuit seeks compensatory damages, nominal damages, reimbursement of out-of-pocket expenses, and injunctive relief, including investment in cybersecurity to better protect patient and employee data, submitting to future annual data security audits, and the provision of at least three years of identity theft and credit monitoring services to victims of the data breach.

The post Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information