Legal News

Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack

Posted by HIPAA Journal

A lawsuit has been filed in the US District Court for the District of Massachusetts against Quest Diagnostics and its subsidiary, ReproSource Fertility Diagnostics, over an August 2021 ransomware attack that affected 350,000 patients.

On October 8, 2021, ReproSource started sending notification letters to affected patients informing them that some of their protected health information had potentially been accessed or stolen prior to ransomware being used to encrypt files. The types of data stored on parts of its network that were accessible to the attackers included names, dates of birth, test results, medical histories, diagnosis codes, Social Security numbers, billing information, and other information.

While breach notification letters were sent within the 60 days allowed by HIPAA, the lawsuit alleges Quest and ReproSource failed to issue timely notifications to patients, which violated Massachusetts law, and when the notification letters were issued – more than a month after the attack – they lacked important information about the breach, such as if the servers that stored patient data were accessed by the attackers, whether data on those servers were encrypted, how the attack occurred, and which systems had been affected. The patient named in the lawsuit, Jasmyn Bickham, claims to have received a letter stating her protected health information had been released, while the breach notice published on its website failed to say whether patients’ information was acquired by the hackers.

The lawsuit alleges the hackers were able to gain access to ReproSource’s systems because of the failure to implement appropriate safeguards to protect patient data, as is required by the HIPAA Security Rule, and if those measures had been implemented, the ransomware attack and data breach could have been prevented. The lawsuit alleges the failure to safeguard data violated several state and federal laws, and the security failures were “especially egregious” due to the number of warnings issued to the healthcare industry about the increase in ransomware attacks.

Under HIPAA, security awareness training must be provided to the workforce. The lawsuit alleges a violation of HIPAA and Federal Trade Commission regulations for training failures, claiming security awareness training had not been provided at defined intervals and the training program had not been tailored to employees with differing levels of knowledge about technology and cybersecurity.

The lawsuit alleges negligence, breach of contract, breach of implied contract, and breach of fiduciary duty and seeks class action status. The lawsuit claims patients affected by the breach face an elevated risk of identity theft and fraud, and that have had to spend time protecting themselves against identity theft and fraud.

The lawsuit seeks actual, compensatory, punitive, and statutory damages, attorneys’ fees, and calls for ReproSource to enhance its security systems and return wrongfully retained revenue. In addition, the lawsuit seeks at least three years of credit monitoring services for the plaintiff and class members. ReproSource only offered 12 months of credit monitoring services to affected individuals.

The post Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records.

The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified.

The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the requested records or for unnecessary delays. In some cases, patients have had to wait many months before they were provided with a copy of their records.

The latest announcement by OCR brings the total number of HIPAA Right of Access enforcement actions under the 2019 enforcement initiative up to 25.

In all of the new cases below, OCR determined the healthcare providers were in violation of 45 C.F.R. § 164.524 and had not provided timely access to protected health information about the individual after receiving a request.

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, agreed to settle OCR’s investigation and paid a $32,150 financial penalty and will be monitored by OCR for compliance with its corrective action plan for 2 years. The investigation stemmed from a complaint from a patient who requested his medical records on November 25, 2019, but was not provided with the records until March 19, 2020.

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, settled its investigation with OCR and paid a $30,000 financial penalty and will be monitored for compliance with its corrective action plan for 12 months. A patient alleged she had requested her records in December 2018 but did not receive a copy of her records until July 26, 2019. OCR had provided technical assistance to the healthcare provider following receipt of a previous HIPAA Right of Access complaint from the same patient and closed the case. When evidence was received of continued non-compliance the case was reopened. OCR determined that in addition to the delay, Denver Retina Center’s access policies and procedures were not compliant with the HIPAA Privacy Rule, as required by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, settled OCR’s investigation and paid a $160,000 financial penalty and will be monitored for compliance with the corrective action plan for 12 months. OCR had received three complaints from a patient who had not been provided with a copy of her medical records. The patient had requested a copy of her records on October 1, 2019, and November 21, 2019, and did not receive the requested records until May 22, 2020.

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, settled OCR’s investigation and paid a $10,000 financial penalty and has agreed to take corrective action to prevent further HIPAA Right of Access violations. OCR had received a complaint from a patient who requested a copy of her medical records on June 27, 2019 and paid a $25 flat fee, which is the standard fee charged by Wake Health Medical Group for providing copies of medical records. As of the date of the settlement, the patient has still not been provided with the requested records.

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, did not cooperate with OCR during the investigation, although did not contest the findings and waived his right to a hearing. A civil monetary penalty of $100,000 was imposed by OCR. An investigation was launched following receipt of a complaint from a former patient who alleged he had made several written and verbal requests for a copy of his medical records between 2013 and 2014. The complaint was filed with OCR on November 9, 2017, and the case was closed by OCR on December 15, 2017, after advising Dr. Glaser to investigate the complaint and provide the requested records if the requests were in line with the HIPAA Right of Access. The patient filed a further complaint with OCR on March 20, 2018, and provided evidence of further written requests. OCR tried to contact Dr. Glaser on multiple occasions by letter and phone, but he repeatedly failed to respond, hence the decision to impose a civil monetary penalty.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

The post HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations appeared first on HIPAA Journal.

Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System

Posted by HIPAA Journal

A class action lawsuit filed against West Virginia University Health System over a breach of the protected health information of 7,445 patients has had the class certification order lifted by the Supreme Court of Appeals of West Virginia.

The lawsuit is related to an insider data breach that occurred in 2016. Between March 2016 and January 2017, Angela Roberts, a former registration specialist at Berkeley Medical Center and Jefferson Medical Center, which are affiliated with West Virginia University Health System, accessed the medical records of 7,445 patients with a view to committing identity theft and fraud. When the unauthorized access was discovered, Roberts admitted she had accessed the medical records for work purposes, but also to steal patient data to provide to her boyfriend and co-defendant Ajarhi “Wayne” Roberts.

When viewing the medical records for legitimate work purposes, Ms. Roberts determined whether there was enough information to allow her and her boyfriend to steal patients’ identities. If sufficient information was there, the information was stolen and provided to Mr. Roberts with a view to committing identity theft. Fake Social Security cards were then produced in order to commit bank fraud.

Ms. Roberts was charged in a 36-count indictment and signed a plea agreement to one count of identity theft in 2017. She admitted unlawfully acquiring the names, signatures, dates of birth, Social Security numbers, and driver’s license numbers of 10 patients, and that she passed that information to her boyfriend who used the information to open accounts. Victims suffered monetary losses of $20,757 and Roberts was ordered to pay $5,189.25 in restitution.

A lawsuit was filed on behalf of plaintiffs Deborah Welch and Eugene Roman that sought class action status covering the patients whose medical records were impermissibly accessed. Welch and Roman successfully certified a class of 7,445 patients; however, the defendants argued that the class representatives lacked standing as they had suffered no injury-in-fact from the legitimate accessing of their medical records by Ms. Roberts.

The Supreme Court of Appeals recently determined Welch lacked standing to sue for a breach of confidentiality or an invasion of privacy because she had suffered no injury-in-fact from the employee’s legitimate accessing her medical records, and other prerequisites to class certification were not met. The Supreme Court of Appeals ruled that Roman, who represented a subclass of 109 individuals, also failed to meet the prerequisites for class certification and that the circuit court failed to provide a thorough analysis of the typicality prerequisite in light of Roman’s circumstances and claims. The class certification order was lifted as in order for a class action lawsuit to proceed, at least one of the named plaintiffs must have standing.

The post Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System appeared first on HIPAA Journal.

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

Posted by HIPAA Journal

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States.

Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses.

Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin.

The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat actors are believed to reside in Russia, where there is no extradition treaty, so there is little chance of them facing justice unless they leave Russia.

International arrest warrants have been issued for both individuals and Vasinskyi was arrested in October at the Polish border. Poland signed an extradition treaty with the United States in 1996 and the U.S. is currently seeking Vasinskyi’s extradition. Polyanin has yet to be apprehended.

“Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” said Acting U.S. Attorney Chad E. Meacham for the Northern District of Texas. “In a matter of months, the Justice Department identified the perpetrators, effected an arrest, and seized a significant sum of money. The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cybercriminals.”

State Department Offers $10 Million Reward for Information on Leaders of REvil and DarkSide Ransomware Operations

Individuals with information about Polyanin, other leaders of the REvil and DarkSide ransomware groups, or affiliates who conducted attacks, are being encouraged to come forward. The U.S. State Department has announced a reward of up to $10 million for information about that leads to the identification or location of leaders of the REvil/DarkSide ransomware groups, with up to $5 million paid for information that leads to the arrest and conviction of any individual who conspired to participate or attempted to participate in a REvil/DarkSide ransomware attacks. The size of the rewards being offered for information clearly shows how focused the United States is on bringing ransomware threat actors to justice.

The pressure being put on ransomware gangs appears to be having some effect. Chris Inglis, U.S. National Cyber Director, recently told House lawmakers that there has been a discernable decrease in Russia-based cyberattacks. and the DoJ says it expects there to be several more arrests in relation to the REvil and DarkSide ransomware attacks in the coming weeks.

Global Law Enforcement Effort Results in Multiple Arrests

The United States is not the only country to be laser-focused on bringing ransomware threat actors to justice. An international law enforcement operation dubbed GoldDust involving 17 nations has recently resulted in the arrest of 7 hackers believed to be involved in the REvil and GandCrab ransomware operations. The Europol, Eurojust, and INTERPOL-coordinated operation saw three individuals arrested in South Korea, two in Romania, one in Kuwait, and one in an unnamed European country, with the latest takedown occurring on November 4 in Romania and Kuwait.

The three individuals in South Korea were previously arrested in February, April, and October for their role in the GandCrab ransomware attacks, which is believed to be the predecessor of REvil/Sodinokibi. The GoldDust operation has been active since 2018 and was launched in response to the GandCrab ransomware attacks.

The previous week, Europol announced 12 individuals had been arrested in raids in Ukraine and Switzerland over their suspected involvement in ransomware attacks involving LockerGoga and other ransomware attacks. Those individuals are believed to have had specialist roles in various stages of the attacks, from infiltration to cashing out and laundering millions in ransom payments.

In September, a French National Gendarmerie, Ukrainian National Police, Europol, and INTERPOL operation resulted in the arrest of 2 individuals suspected to be members of two prolific ransomware operations. That operation also saw $375,000 in cash and luxury vehicles seized, and the asset freezing of $1.3 million in cryptocurrency.

In addition, a 30-month operation, dubbed Operation Cyclone, which involved law enforcement agencies in multiple countries resulted in the arrest of 6 individuals believed to be involved in the Clop ransomware operation, with those arrests occurring in June 2021. The operation saw searches conducted at 20 locations and resulted in the seizure of $185,00 in cash and computer equipment suspected of having been used to conduct the attacks. The Clop ransomware gang had conducted many attacks in the United States, including those on the University of Colorado, Stanford Medicine, University of California, and the University of Maryland Baltimore.

While these arrests will cause some disruption to the activities of ransomware gangs, they represent just a fraction of the individuals involved in ransomware attacks, many of whom can be easily replaced. The core members of the ransomware operations are believed to reside in Russia where they remain untouchable.

The post DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information appeared first on HIPAA Journal.

Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data

Posted by HIPAA Journal

A federal judge has ruled in favor of University of Mississippi Medical Center (UMMC) in an unauthorized access and data theft case against three former employees.

UMMC took legal action against Dr. Spencer Sullivan and other former employees over the alleged theft and use of patients’ medical records. In July 2014, UMMC hired Dr. Sullivan as the medical director of its Hemophilia Treatment Center. When he joined UMMC, Dr. Sullivan signed a contract with a non-compete clause, which prevented him from using UMMC data to solicit patients for an independent practice.

According to the lawsuit, in January 2016, Sullivan started making arrangements to open his own hemophilia clinic and pharmacy and conspired with other UMMC staff members – Linnea McMillan, Kathryn Sue Stevens, and Rachel Henderson Harris – to assist with setting up the new practice, which included compiling a list of UMMC patients.

A patient list was created that included patient names, telephone numbers, dates of birth, diagnosis, prescription information, insurance information, and pharmacy information. After setting up the practice, in June 2016 Dr. Sullivan resigned from UMMC and used the patient list to solicit patients and encouraged them to continue their treatment at his new Mississippi Center for Advanced Medicine in Madison, MS.

Around 20 UMMC employees were recruited to work at the new, for-profit medical center and most of the patients of Batson Children’s Hospital chose to follow their physicians and switched to the new clinic.

UMMC took legal action against Dr. Sullivan and his co-conspirators alleging violations of the Computer Fraud and Abuse Act and the Federal Trade Secrets Act, with all defendants denying stealing patient information from UMMC. In 2018, the Clarion-Ledger covered the story and ongoing legal battle between UMMC, Sullivan, and his co-conspirators. After reading the story, McMillan’s ex-husband contacted UMMC and provided a copy of the patient list, which he said he found in his ex-wife’s car. That discovery marked a major shift in the litigation; however, even though the list had been recovered, the defendants continued to deny stealing and using patient data under oath.

Then, in April 2021, Harris admitted to lying in her deposition and provided 1,469 pages of text messages that were sent by herself and her co-defendants in relation to the UMMC patient data, which revealed that they had conspired to shred stolen documents, which included destroying patient data. She also confirmed that Sullivan, McMillan, Stevens, and herself had used the patient list. On June 22, 2020, the court dismissed with prejudice all claims against Harris.

On March 12, 2021, UMMC filed a motion for default judgment against the remaining defendants, alleging they had all committed perjury and had all engaged in spoliation of evidence by destroying the patient list and other data stolen from UMMC.

Sullivan had denied possessing hard drives containing files and emails stolen from UMMC, but when a magistrate judge ordered him to provide either the hard drives or his computer, Sullivan admitted possessing files on a hard drive and USB drive and provided them to the defense team.

On October 8, 2021, U.S. District Judge Carlton Reeves issued a default judgment in favor of UMMC and the case has now been scheduled for trial on February 16, 2020.

“The Court issued a default judgment against defendants who destroyed, and then before this Court lied and denied destroying, data essential to the plaintiff’s claim. In so ruling, this Court emphasized that Defendant’s conduct constituted “an assault on this Court’s ability to find the truth, to do justice,” wrote Reeves. “At every turn, Defendants’ persistent lies under oath, willful destruction of evidence, and obstinate withholding of evidence thwarted UMMC’s discovery efforts. This pattern of evasion unnecessarily drove up the expense of litigation, both in time and in money, for UMMC. Once caught, defendants showed little remorse.”

Reeve went on to write, “Defendants’ lies and evasions, particularly Dr. Sullivan’s recent conduct in relation to the long-sought hard drives, suggest that nothing less than the full exercise of this court’s inherent power will command the defendants’ respect for the judicial process, or secure their commitment to telling this court the truth.”

The post Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data appeared first on HIPAA Journal.

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

Posted by HIPAA Journal

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail.

Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums.

In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela.

Three of Johnson’s co-conspirators were arrested and charged for their roles in the UPMC cyberattack. In August 2016, Cuban national Yolandy Perex Llanes was extradited to the United States and pleaded guilty in April 2017 to money laundering and aggravated identity theft. He was sentenced in 2017 to 6 months of time served.

In April 2017, Justin A. Tollefson of Spanaway, Washington, a staff sergeant at Joint Base Lewis-McChord in Tacoma, Washington, pleaded guilty to four counts of using the stolen identities of UPMC employees to file fraudulent tax returns. He had purchased the PII on a dark web forum and used the data to file fraudulent tax returns in the names of four UPMC employees. $56,333 was paid by the IRS in income tax refunds, but Tollefson was arrested before he received any funds. The judge was lenient as Tollefson had not profited from the fraud and sentenced him in 2017 to 3 years of probation.

Maritza Maxima Soler Nodarse, a Venezuelan national, pleaded guilty to conspiracy to defraud the United States in July 2017 for her role in the identity theft and tax fraud crimes. She received a 16-month time-served sentence and was deported to Venezuela.

Johnson received the maximum sentence despite pleading guilty to the hacking charges due to the severity of the offenses and the impact they had on the lives of his victims. Chief United States District Judge Mark R, Hornak said Johnson’s behavior was like a “bulldozer” through people’s lives and his indiscriminate hacking activities showed no regard for his victims. “The actions of criminals like Justin Johnson can have long-lasting and devastating effects on the lives of innocent people,” said Yury Kruty, Acting Special Agent in Charge of IRS-Criminal Investigation.

Johnson was sentenced to serve 60 months in jail for the conspiracy to defraud the United States charge and a mandatory 24-month sentence for aggravated identity theft, with the sentences to run consecutively.

“Justin Johnson stole the names, Social Security numbers, addresses, and salary information of tens of thousands of UPMC employees, then sold that personal information on the dark web so that other criminals could further exploit his victims,” said Acting U.S. Attorney Kaufman. “Today’s sentence sends a deterrent message that hacking has serious consequences.”

The post UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence appeared first on HIPAA Journal.

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

Posted by HIPAA Journal

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty.

Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI).

Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents.

As a HIPAA covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access.

Diamond Investigated for Compliance with Federal and State Laws

The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs investigated Diamond over the data breach to determine compliance with federal and state laws. The investigation revealed Diamond had entered into a support contract with the managed service provider (MSP) Infoaxis Technologies in 2007, which including security and information technology services including maintaining its third-party server and workstations. The service agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts.

Around March 2014, Diamond downgraded its support package with the MSP, resulting in a reduction in the services provided, although Diamond maintains there was no reduction in services between the two support agreements other than the amount of time included for on-site support services.

Prior to the breach occurring, Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) service with a VPN to access the Diamond network, but because the VPN was blocked from the Bermuda office, the MSP provided a different method of access that involved opening a port in the firewall to allow RDP access, instead of using the VPN for authentication.

Between August 28, 2016 and January 14, 2017, a workstation in the Millburn office was accessed by an unauthorized individual on several occasions from a foreign IP address. The unauthorized access was detected and blocked on January 14, 2017. During the time the workstation was accessible, data on the device was not encrypted. The intruder therefore potentially accessed patient data including names, dates of birth, Social Security numbers, and medical record numbers.

An investigation into the breach also revealed an intruder accessed Diamond’s third-party server which housed its electronic medical records within a password-protected SQL server using two compromised Diamond user accounts that had weak passwords. The investigation revealed weak security settings were in place for failed login attempts and password expiration.

While the EMR data was not compromised, the intruder was able to access PHI such as test results, ultrasound images, and clinical and post-operative notes. Diamond’s investigation was unable to confirm how access to the network was gained.

Multiple HIPAA Violations Uncovered

The state investigation into the data breach revealed business associate agreements were not in place prior to sharing ePHI with three business associates: Infoaxis, BMedTech, and Igenomix, in violation of the HIPAA Rules. Diamond was also alleged to have violated the CFA, HIPAA Security Rule, and HIPAA Privacy Rule by removing administrative and technological safeguards protecting PHI and ePHI, which allowed unauthorized individuals to gain access to its systems and ePHI for around five and a half months.

The CFA violations included misrepresentation of HIPAA practices in its privacy and security policy, a failure to secure its network leading to a data breach, and unconscionable commercial practices.

The settlement agreement lists failures to comply with twenty-nine provisions of the HIPAA Privacy and Security Rules. Alleged violations include the failure to conduct a comprehensive risk assessment, failure to encrypt ePHI, failure to modify security measures to ensure reasonable protections for ePHI were maintained, failure to implement procedures for creating, changing, and modifying passwords, and a failure to verify the identify of individuals seeking access to ePHI.

Diamond disputes many of the claims made by the state but agreed to settle the case and pay a $495,000 financial penalty, which consists of $412,300 in civil penalties and $82,700 in investigation fees.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

In addition to the financial penalty, Diamond is required to implement additional measures to improve data security, including the use of encryption to prevent unauthorized access to ePHI, implementing a comprehensive information security program, appointing a new HIPAA officer, providing additional training to staff on security policies, developing a written incident response plan, and improving logging, monitoring, access controls, password management, and implementing a risk assessment program.

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The post New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty appeared first on HIPAA Journal.

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

Posted by HIPAA Journal

A new bill has been introduced that requires victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid.

The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States.

Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the attack.

Chainalysis believes almost $350 million in cryptocurrency was paid to ransomware gangs globally in 2020, which is a year-over-year increase of 311%. Attacks have continued to increase in 2021. According to Check Point’s mid-year security report, in the first half of 2021, there were 93% more ransomware attacks than the corresponding period last year.

As the ransomware attack on Colonial Pipeline demonstrated, the gangs behind these attacks pose a significant national security threat. That attack resulted in the closure of a major fuel pipeline for around a week. The attack on JPS Foods threatened food production, and the huge number of attacks on the healthcare industry has affected the ability of healthcare providers to provide care to patients. This year, CISA said ransomware attacks delay care and affect patient outcomes, and there has already been a death in the United States which is alleged to have been due to a ransomware attack.

Ransomware attacks are continuing to increase because they are profitable and give ransomware gangs and their affiliates a good return on investment. There is also little risk of being caught and brought to justice. Unfortunately, investigations of ransomware gangs can be hampered by a lack of data, hence the introduction of the Ransom Disclosure Act.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them.”

While the FBI encourages the reporting of ransomware attacks to assist with its investigations, reporting attacks is not mandatory. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” sad Congresswoman Ross. “I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back.”

The Ransom Disclosure Act will require:

  • Ransomware victims (except individuals) to disclose any ransom payments within 48 hours of the date of payment, including the amount, currency used, and any information that has been gathered on the entity demanding the ransom.
  • The DHS will be required to publish information disclosed during the previous year about the ransoms paid, excluding identifying information about the entities who paid.
  • The DHS will be required to set up a website for individuals to voluntarily report ransom payments.
  • The Secretary of Homeland Security will be required to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated the attacks, and make recommendations for protecting information systems and strengthening cybersecurity.

The post Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours appeared first on HIPAA Journal.

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

Posted by HIPAA Journal

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach.

Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware.

Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients.

The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and others similarly affected by the ransomware attack. The lawsuit alleges the disclosure of protected health information was preventable, with the data breach occurring as a result of Elekta failing to implement sufficient cybersecurity policies and procedures. As a result, hackers were able to gain access to its platform and copy the sensitive data of patients.

The lawsuit alleges Elekta was negligent and failed to honor its duties to maintain adequate data security systems to reduce the risk of data breaches, adequately protect PHI on its systems, and properly monitor its data security systems for existing intrusions. It is also alleged that Elekta did not ensure agents, employees, and others with access to sensitive information employed reasonable security procedures.

The lawsuit claims Harrington and the class members have suffered damages and actual harm as a direct result of the cyberattack and they now face an increased risk of identity theft and fraud and must undertake additional security measures to protect themselves against harm.

The alleged harm suffered by Harrington and the class members includes imminent risk of future identity theft, lost time and money expended to mitigate the threat of identity theft, diminished value of personal information, and loss of privacy.

The lawsuit seeks damages, reimbursement of out-of-pocket expenses, legal costs, injunctive relief, and other and further relief as deemed appropriate by the courts.

The post Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach appeared first on HIPAA Journal.