Legal News

EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

Posted by HIPAA Journal

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen.

The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed.

On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI and personally identifiable information (PII) stored on its patient portal.

As a result of those failures, the lawsuit alleges Tincher and class members have suffered actual, concrete, and imminent injury, including present injury and damages from identity theft, loss or diminished value of their PHI and PII, and have incurred out-of-pocket expenses from attempting to remedy the exposure of their sensitive information and have had to spend time mitigating the effects of the unauthorized data access. They also face a continued and increased risk to their PHI and PII, which were unencrypted and remain available to unauthorized parties to access and abuse.

The lawsuit also takes issue with the speed at which QRS issued breach notification letters, which were issued almost 2 months after the discovery of the breach. During those two months, the plaintiffs and class embers were unaware they had been placed at significant risk of identity theft, fraud, and personal, social, and financial harm.

The lawsuit alleges QRS had a responsibility to ensure the PHI and PII within its patient portal were appropriately protected, and the breach of its duties to protect that information amounts to negligence and/or recklessness, which violates federal and state statutes. The lawsuit claims QRS signed business associate agreements (BAAs) with its healthcare provider clients, so was aware or should have been aware of its responsibilities to ensure PHI was protected against cyberattacks. The lawsuit also lists cybersecurity measures recommended by the Cybersecurity and Infrastructure Security Agency (CISA) which should have been implemented in that regard and maintains QRS should have been aware of the high risk of being attacked due to the large number of healthcare data breaches that have been reported in recent years.

Lawsuits are often filed against healthcare organizations over data breaches that exposed sensitive information. Whether the lawsuits succeed often depends on whether the plaintiffs are able to demonstrate they have suffered actual harm as a direct consequence of the data breach. Tincher claims to have been notified about the breach on October 22, 2021, and within 3 days was the victim of actual identity theft, and that it is more likely than not that his sensitive information was exfiltrated from the QRS patient portal during the data breach.

The lawsuit alleges the total damages incurred by the plaintiff and class members exceed the minimum $5 million jurisdictional amount required by the Court, and that the Court has jurisdiction over the defendant because QRS operates and is incorporated in the district. The plaintiff and class members seek a jury trial, unspecified damages, and injunctive and equitable relief.

The post EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach appeared first on HIPAA Journal.

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

Posted by HIPAA Journal

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen.

Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered.

Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost.

In late December, BioPlus patient Bonnie Gilbert and her attorneys filed a lawsuit in the U.S. District Court of the Middle District of Florida alleging BioPlus had violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to ensure the confidentiality, integrity, and availability of the PHI of its patients.

The lawsuit alleges negligence for failing to maintain reasonable data security safeguards, failing to implement industry-standard data security practices, and failing to exercise reasonable care in the hiring and supervision of its employees and agents. The lawsuit also claims BioPlus failed to detect the attack and the exfiltration of sensitive data from its network, and delayed breach notifications. The lawsuit claims that if a reasonable amount of care had been taken and appropriate data security measures had been in place, the attack could have been detected sooner and/or prevented.

The lawsuit alleges the plaintiff and class members have suffered “numerous actual and imminent injuries” as a direct result of the data breach, including the theft of their PII and PHI, invasion of privacy, a reduction in the economic value of their PII and PHI, emotional distress and stress, and a significant present and future risk of identity theft and financial fraud, as well as incurring costs attempting to mitigate and deal with the consequences of the data breach.

The lawsuit seeks class action certification, a jury trial, injunctive relief, declaratory relief, and monetary damages. The plaintiff is represented by Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

Posted by HIPAA Journal

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raises the question of why RIPTA was storing the data of an additional 12,363 individuals.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

The post Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General appeared first on HIPAA Journal.

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

Posted by HIPAA Journal

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December.

The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files.

Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims.

While the attack was detected in December 2020, it took until December 2021 for notification letters to be issued to affected individuals and for state attorneys general and the HHS’ Office for Civil Rights to be notified about the breach, 6 months after it was confirmed that sensitive data was stolen in the attack.

The lawsuit was filed by Mason Lietz & Klinger LLP in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. The lawsuit alleges Bansley & Kiener failed to safeguard the sensitive data of its clients and failed to provide timely, accurate, and adequate notice of the data breach to individuals whose sensitive information was stolen.

According to the lawsuit, Bansley & Kiener unnecessarily delayed the issuing of notifications about the data breach, even though the individuals whose data was stolen were placed at significant risk of identity theft and various other forms of personal, social, and financial harm. When the notifications were sent, they failed to fully explain the nature of the breach. They did not explain that this was a ransomware attack and referred to the incident as an unauthorized person gaining access to its network that resulted in the encryption of systems.

The lawsuit also takes issue with the response to the data breach. After discovering the attack, files were restored from backups and normal business operations were resumed, and it was only when it was discovered that data had been exfiltrated from its systems, 5 months after the attack, that cybersecurity experts were retained to investigate the breach.

The lawsuit alleges Bansley & Kiener suffered a data breach due to “negligent and/or careless acts and omissions” relating to the safeguarding of sensitive data, and failed to monitor its systems for security vulnerabilities. The lawsuit alleges victims of the breach have incurred out-of-pocket expenses related to the prevention, detection, and resolution of identity theft and/or unauthorized use of their data, have spent time trying to mitigate the effects of the data breach, and have suffered from the lost or diminished value of their personal data.

The lawsuit seeks actual, nominal, and consequential damages, punitive damages, injunctive relief, legal costs, and a jury trial.

The post Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures appeared first on HIPAA Journal.

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

Posted by HIPAA Journal

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.

In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.

Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.

Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.

The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.

The post New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack

Posted by HIPAA Journal

Planned Parenthood Los Angeles (PPLA) is facing a class action lawsuit over a ransomware attack that was discovered on October 17, 2021. The cyberattack exposed the protected health information of more than 409,759 patients. In the notification letters sent to affected individuals on November 30, 2021, PPLA explained that its systems were breached on October 9, 2021, and the hackers had access to files containing PHI until October 17, when they were ejected from the network.

The files on the affected systems contained names, addresses, birth dates, diagnoses, treatment, and prescription information, and some files were exfiltrated from its network prior to file encryption. PPLA said it has found no evidence to suggest patient data has been misused.

A PPLA patient whose PHI was exposed in the data breach has taken legal action over the incident. The lawsuit was filed in the U.S. District Court of Central California and alleges the patient, and class members, have been placed at imminent risk of harm as a result of the theft of their sensitive health data, which included electronic health records that detail the procedures performed by PPLA such as abortions, treatment of sexually transmitted diseases, emergency contraception prescriptions, cancer screening information, other highly sensitive health data.

The lawsuit also references the timing of the attack, which coincided with Supreme Court debates on abortion, and says the exposure of information on abortion procedures at such a time makes it more likely that patients will suffer harm. In addition to facing an imminent risk of harm, affected individuals are likely to continue to suffer economic and actual harm and have lost control of their healthcare data. They have also incurred out-of-pocket expenses as a direct result of the data breach such as costs and time spent securing their accounts, monitoring for identity theft and fraud, and taking action to prevent misuse of their personal information. The lead plaintiff alleges she has suffered actual harm as a result of the breach, including stress and anxiety, and has also suffered damage and diminution in the value of her personal information.

While there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA), the lawsuit alleges PPLA has violated HIPAA by failing to ensure the confidentiality of patient data and insufficient cybersecurity measures had been put in place to prevent unauthorized PHI access. The lawsuit also states that this is the third data breach PPLA has suffered in the past three years.

In addition to the HIPAA violations, the lawsuit claims PPLA also violated the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit seeks compensatory and statutory damages, injunctive relief, investment in cybersecurity measures to ensure further breaches do not occur, and for affected individuals to be provided with identity theft protection and restoration services and to be covered by an identity theft insurance policy.

The post Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack appeared first on HIPAA Journal.

Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses

Posted by HIPAA Journal

A medical biller in the Tampa Bay area of Florida has pleaded guilty to four counts of healthcare fraud, four counts of aggravated identity theft, two counts of failing to file a tax return, and one count of filing a false tax return.

Joshua Maywalt, 40, of Tampa, worked as a medical biller at a Clearwater company that provided credentialing and medical billing services to a range of healthcare provider clients in Florida. In his capacity as a medical biller, Maywalt was able to access the company’s financial, medical provider, and patient information.

Maywalt was assigned to a Tampa Bay area physician’s account and submitted claims to Florida Medicaid HMOs for services provided by that physician to recipients of Medicaid. Maywalt wrongfully accessed the company’s patient information and used the name and identification number of the physician to submit false and fraudulent claims to a Florida Medicaid HMO for services that Maywalt claimed were provided by the physician when they had not been. The “pay to” information on the claims for the fictitious medical services was changed to account numbers under Maywalt’s control.

In the tax years of 2017 and 2018, Maywalt failed to file a tax return with the Internal Revenue Service and filed a false tax return for the 2019 tax in which he substantially underreported his income as he did not include the amounts he paid into his bank accounts from his fraudulent billing activities.

According to the United States Attorney’s Office, Middle District of Florida, Maywalt will forfeit $2.2 million in funds and real estate property that are directly traceable to his offenses. He now faces a maximum jail term of 53 years – 10 years for each healthcare fraud count, up to 3 years for filing a false tax return, up to 2 years for each count of a failure to file a tax return and a mandatory 2 years for each count of aggravated identity theft. The aggravated identity theft sentences will run consecutively.

The case was investigated by the Department of Health and Human Services’ Office of the Inspector General, the Federal Bureau of Investigation, the Florida Attorney General’s Medicaid Fraud Control Unit, and the Internal Revenue Service – Criminal Investigation.

The post Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses appeared first on HIPAA Journal.

New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach

Posted by HIPAA Journal

San Juan Regional Medical Center in Farmington, New Mexico is facing a class action lawsuit over a 2020 data breach that was announced in June 2021. The breach investigation confirmed an unauthorized individual gained access to its network and exfiltrated files containing sensitive patient data between September 7, 2021, and September 8, 2021.

The data breach was initially reported to the HHS’ Office for Civil Rights as affecting 500 individuals, with San Juan Regional Medical Center saying at the time that at least 500 individuals had been affected. When the total number of individuals affected by a security breach is not known, breaches can be reported to OCR and the breach report updated when further information is known. The breach investigation later confirmed that the protected health information (PHI) of 68,792 individuals had potentially been stolen in the attack.

While data theft was confirmed, the hospital has not uncovered any evidence to suggest any patient’s PHI has been misused and individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed on October 7, 2021, on behalf of Jeremy Henderson and all other San Juan Regional Medical Center patients affected by the data breach. The lawsuit alleges the way San Juan Regional Medical Center handled patient data was negligent, which resulted in sensitive information being exposed and stolen by hackers. The lawsuit also alleges the hospital failed to implement appropriate safeguards to protect patient data, in violation of the Health Insurance Portability and Accountability (HIPAA) Act.

The lawsuit also takes issue with the length of time it took to issue notifications. Henderson said he was notified about the breach on September 13, 2021, more than a year after his PHI was stolen.

The lawsuit alleges the plaintiff and class members face a substantial risk of identity theft and fraud as a result of the theft of their protected health information and will be required to spend time and effort monitoring their accounts and statements and taking other steps to protect against identity theft and fraud, and that 12 months of credit monitoring and identity theft protection services is insufficient. The lawsuit seeks unspecified damages.

The post New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach appeared first on HIPAA Journal.

Patient Sues Eskenazi Health Over Ransomware Attack and Misuse of Her Data

Posted by HIPAA Journal

An Eskenazi Health patient whose protected health information was stolen in an August 2021 ransomware attack is suing the healthcare provider over the data breach.

It is now common for ransomware gangs to exfiltrate sensitive data prior to using ransomware to encrypt files. The stolen data is used to threaten victims to encourage payment of the ransom, as was the case in the Eskenazi Health ransomware attack. Indianapolis, IN-based Eskenazi Health discovered the attack in early August and immediately shut down its computer systems in an attempt to prevent further unauthorized access and contain the attack. The healthcare provider took the decision to divert ambulances and cancel certain appointments as a safety measure while its electronic medical record system was offline.

The investigation into the breach determined its systems had first been compromised in May and files containing sensitive patient data had been exfiltrated from its systems. Notification letters started to be sent to affected patients in early November and patients were informed of the data theft and were offered complimentary identity theft protection and credit monitoring services. At the time of issuing notifications, there had been no reports of any misuse of patient data, although some patient data had been published on the gang’s data leak site. The breach report submitted to the HHS’ Office for Civil Rights in early October indicates 1,515,918 patients were affected by the breach.

Eskenazi Health said the stolen data related to employees, providers, patients, former patients, and vendors and included names, addresses, telephone numbers, email addresses, dates of birth, medical record numbers, patient account numbers, diagnoses, clinical information, physicians’ names, insurance information, prescriptions, driver’s license numbers, passport numbers, face photographs, Social Security numbers, and credit card information.

Eskenazi Health patient Terri Ruehl Young was one of the individuals impacted by the data breach. In her lawsuit Young claims a fraudulent charge of $370 was applied to the credit card she used to pay for her treatment and her Equifax credit report showed an attempt to change her name.

The lawsuit alleges patients placed their trust in Eskenazi Health to secure its systems and protect patient data, but the healthcare provider betrayed that trust by failing to implement up-to-date security practices and appropriate safeguards to protect patient data. The lawsuit alleges negligence, breach of contract, and unjust enrichment.

The lawsuit also takes issue with the length of time it took Eskenazi Health to notify patients about the data breach. The lawsuit claims that notification letters were sent more than 6 months after hackers first breached its systems, and 3 months after the breach was discovered by Exkenaki Health. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach.

The lawsuit, which was filed by Cohen and Malad and John Steinkamp & Associates, seeks class action status and requests a jury trial. A spokesperson for Eskenazi Health said the lawsuit has yet to be formally served.

The post Patient Sues Eskenazi Health Over Ransomware Attack and Misuse of Her Data appeared first on HIPAA Journal.