Legal News

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

Posted by HIPAA Journal

A medical malpractice lawsuit has been filed against an Alabama Hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack.

Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts.

Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.”

During the system downtime, Teiranni Kidd arrived at the hospital to have her baby delivered. Her baby was born on July 17, 2019 but tragically the umbilical cord had become wrapped around the baby’s neck resulting in severe brain damage. Following the birth, Kidd’s daughter Nicko was transferred to a neonatal intensive care unit. Due to the brain damage, Nicko required frequent oxygen supplementation, had to be fed through a gastrointestinal tube, and needed around the clock medical care. Nicko died 9 months later on April 16, 2020.

In January 2020, a lawsuit was filed in the Circuit Court of Mobile County, AL on behalf of Teiranni Kidd, as mother and next friend of Nicko Silar. The lawsuit alleges the hospital failed to inform the plaintiff about the cyberattack and outage, and had the hospital done so, she would have chosen a different hospital for labor and delivery.

The lawsuit alleges physicians and nurses at Springhill Medical Center failed to conduct multiple tests prior to the birth which would have revealed the umbilical cord had wrapped around the baby’s neck and that those tests were not conducted due to the distraction caused by the ransomware attack.

The lawsuit alleges a wireless tracker used to locate medical staff was out of order, patient health records were inaccessible, and electronic systems that provided fatal tracing information were also not working. The lawsuit alleges patient information was not available at the nurses’ station and the only fetal monitoring information was a paper record at the patient’s bedside in the labor and delivery room.

“As a result, the number of healthcare providers who would normally monitor [the plaintiff’s] labor and delivery were substantially reduced and important safety-critical layers of redundancy were eliminated,” according to the lawsuit, which claims medical malpractice and wrongful death.

“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” according to the lawsuit.

The lawsuit alleges that as a proximate consequence of the non-disclosure of the attack and outage, the baby suffered “personal injuries and general damages, including permanent injury from which she died.” The hospital has denied any wrongdoing.

Following a ransomware attack, hospitals continue to provide medical services to patients in their care and follow their emergency protocols and switch to recording patient information on paper charts and conducting normally automated processes manually. It is common for emergency patients to be redirected to alternative facilities as a precaution while systems are restored and access to medical records is regained.

This is the first case where a ransomware attack is alleged to have resulted in a patient death, although it is not the only attack where patient safety has been put at risk. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report on healthcare ransomware attacks during the pandemic and confirmed the impact they have had on patient care and outcomes. “Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” explained CISA in the report.

Also, a recent survey on IT and IT security professionals at healthcare delivery organizations in the United States conducted by the Ponemon Institute on behalf of cybersecurity risk management firm Censinet revealed respondents believed ransomware attacks resulted in an increase in the length of patient stays in hospital, delays in testing, and an increase in medical complications. 22% of respondents believed there was an increase in patient mortality after a ransomware attack.

The post Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death appeared first on HIPAA Journal.

Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate

Posted by HIPAA Journal

A lawsuit has been filed in U.S. District Court in Minnesota on behalf of 180 healthcare workers over the COVID-19 vaccine mandates of their employers. The plaintiffs, who have not been named in the lawsuit, claim vaccine mandates are a violation of religious freedom and state and federal laws. The lawsuit is one of several that challenge the legality of such mandates.

Vaccines remain the most effective way to prevent the spread of COVID-19, stop individuals becoming seriously ill, and reduce the number of hospitalizations from the illness. The vaccines are safe and are backed up by data showing they are highly effective at preventing serious illness. The majority of individuals who are hospitalized and/or die from COVID-19 are unvaccinated.

Many employers have opted to implement vaccine mandates and President Biden has announced a vaccine mandate covering 17 million healthcare workers at facilities that receive Medicare and Medicaid funding. Most hospitals have reported high levels of vaccination, with Mayo Clinic saying 98% of its physicians have been vaccinated, as have 87% of all of its workforce.

The Minnesota lawsuit names almost two dozen healthcare institutions including Mayo Clinic and University of Minnesota Physicians as defendants, as well as several federal health officials. The lawsuit alleges “Plaintiffs’ employers are placing a substantial burden on their employees not to practice their religious-based objection to the COVID-19 vaccination or live under the threat of having their religious exemption withdrawn at any time.” The lawsuit also alleges healthcare providers are forcing workers to get vaccinated to improve their vaccination numbers to get more federal subsidies.

In addition to individuals with religious objections to the COVID-19 vaccine, plaintiffs also include workers who are pregnant, young workers who are unsure whether the risks from vaccination are worse that the risks from contracting COVID-19, as well as individuals who have already had COVID-19. The lawsuit seeks a rapid injunction from a judge ahead of the fast-approaching vaccination deadline.

Also this month, a lawsuit was filed against the Henry Ford Health System in Detroit over its vaccine mandate. Approximately 50 employees – which include doctors, nurses, and other employees – claim the vaccine mandate is unconstitutional and an infringement on an individual’s bodily autonomy. The lawsuit alleges workers have been given the choice of exposing themselves to a potentially harmful vaccine or giving up on their careers in healthcare. A temporary restraining order was also filed against Henry Ford Health System attempting to bar the hospital system from implementing its mandate pending the outcome of the lawsuit.

Employers that have implemented a vaccine mandate have made vaccination a condition of employment and will fire workers who are not vaccinated unless there is a medical exemption. Many hospitals and other healthcare facilities are facing the prospect of staff shortages as the deadline for vaccination approaches. Workers at Henry Ford Health System who refused vaccination were required to be vaccinated by September 10 to avoid suspension and have until October 1 to be vaccinated to avoid termination.

The post Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate appeared first on HIPAA Journal.

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Posted by HIPAA Journal

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients.

On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information.

HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual notifications to patients on September 9, 2021. Patients have been offered complimentary credit monitoring and identity theft protection services for 12 months and coverage under a $1 million identity theft insurance policy.

A lawsuit was filed against San Diego Health on behalf of patient Denise Menezes on September 20 alleging negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of confidence, and violations of the California Consumer Privacy, California Confidentiality of Medical Information Act, and a violation of California Unfair Competition Law.

The lawsuit alleges San Diego Health failed to comply with its obligations to protect patient data as required by the HIPAA Security Rule. It is alleged that appropriate, industry-standard cybersecurity measures such as spam filtering including SPF and DMARC was not implemented to prevent hackers from gaining access to email accounts where patients’ protected health information was stored. Also, that sufficient security awareness training had not been provided to employees to help them identify and avoid phishing attempts. Additionally, the lawsuit alleges negligence for failing to detect the breach for 4 months and for failing to notify affected individuals within a reasonable amount of time.

A second lawsuit, which also seeks class action status, was filed on behalf of patient Richard Hartley on September 22. The lawsuit also alleges negligence for the same failures, and also states that a potential data breach was detected by San Diego Health on March 12, but it took until April 8 to expel the unauthorized individuals from its email environment.

The lawsuit alleges negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and violations of the California Consumer Privacy Act and California Confidentiality of Medical Information Act.

The plaintiff claims to have suffered actual injury as a result of the breach. Alleged injuries include anxiety caused by the theft of his personal information and paying monies to San Diego Health for goods and services that required a disclosure of PHI which would not have been made if he was aware inadequate security measures were in place to protect that information. The plaintiff also alleges damages to and diminution of the value of sensitive information, loss of privacy, impending and imminent injury due to identity theft, and the time and expense of mitigating the effects of the breach.

The lawsuits seek unspecified damages for the plaintiffs and all other class members whose personal and medical information may have been compromised in the attack, a jury trial, and an injunction compelling San Diego Health to enhance cybersecurity to prevent similar breaches in the future.

The post Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack appeared first on HIPAA Journal.

Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance

Posted by HIPAA Journal

Healthcare organizations that are required to comply with the California Consumer Privacy Act (CCPA) are facing challenges achieving compliance, according to a new study published in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543

The CCPA was signed into law on June 28, 2018 and took effect on January 1, 2020. The aim of the CCPA was to give California residents greater control over their personal data and how their information can be used.

The CCPA gave California residents the right to be informed about their personal data that will collected, whether their data may be sold or disclosed, to whom disclosures may be made, and to opt out of the sale of their personal data. They were also given the right to view the personal data held by a company covered by the CCPA, to request their personal data be deleted, and not to be discriminated against for exercising their rights under the CCPA.

The researchers conducted the study to explore any potential challenges associated with CCPA compliance for healthcare organizations, which involved interviews with 19 digital privacy and information system experts. The researchers found there to be perceived legal and technological challenges for healthcare organizations trying to comply with the CCPA.

The CCPA is mostly concerned with the use of individuals’ personal data by large consumer-facing technology companies, but the CCPA has had a significant impact on healthcare organizations. HIPAA-eligible information is exempt from the CCPA, but the researchers explained that there are some types of data which are collected by HIPAA regulated entities that potentially fall within the jurisdiction of the CCPA. For those types of data there is regulatory ambiguity, which could result in legal issues for healthcare organizations that do business with California residents.

“A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern,” explained the researchers. “Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance.”

There is confusion due to the CCPA’s broad definition of business and consumer companies that collect user data and deploy cookies, and the interplay between HIPAA and the CCPA creates some unintentional hurdles when it comes to compliance. One of the key issues covers healthcare data collected by healthcare organizations that is not classed as protected health information and is therefore not subject to the HIPAA Rules. In such cases, healthcare organizations may need to comply with the requirements of the CCPA.

“From an implementation perspective, our study finds that the more visible components of CCPA compliance, such as building a website or setting up a helpline service for consumers to raise data access requests, are easy to accomplish,” wrote the researchers. “However, the task of ensuring an accurate inventory of all the consumer data collected and stored within the organization will be a challenging endeavor.”

A considerable amount of additional data is also now being captured and collected due to the COVID-19 pandemic, and the speed at which systems had to be developed to record, store, and share that information for contact tracing and COVID-19 testing meant there was little time to ensure adequate privacy safeguards were implemented. For healthcare organizations, it is unclear in many cases whether these types of data falls under the CCPA.

The advice of the researchers for healthcare organizations doing business in California is to ensure they develop compliance plans proactively. If discovered not to be compliant they could be forced to make last-minute implementations to avoid financial penalties and could face expensive litigation.

The post Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against St. Joseph’s/Candler Hospital Health System in response to a ransomware attack that occurred on June 17, 2021.

The attack resulted in the encryption of files and forced the hospital’s IT systems offline. The systems accessed by the hackers contained the protected health information of 1.4 million patients, including names, Social Security numbers, driver license numbers, health insurance information, healthcare data, and financial information. St. Joseph’s/Candler offered affected patients a one-year membership to the Experian IdentityWorks credit monitoring and identity theft protection service.

The investigation into the ransomware attack confirmed the hackers first accessed its network on December 18, 2020, 6 months prior to the ransomware being deployed. During that time the hackers had access to patient data stored on its systems.

Georgia resident Daniel Elliott was one of the patients whose PHI was compromised in the attack. On August 28, 2021, the personal injury firm Harris Lowry Manton LLP, filed a class action lawsuit against St. Joseph’s/Candler naming Elliott as lead plaintiff. The lawsuit seeks damages for him and the 1.4 million other individuals affected by the ransomware attack.

St. Joseph’s/Candler, which operates Savannah Hospital in Georgia, is the largest health system in the region. The lawsuit alleges St. Joseph’s/Candler was negligent for failing to adequately secure patient data and for not taking sufficient steps to prevent ransomware attacks.

Specifically, the lawsuit states St. Joseph’s/Candler, failed to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems” to protect sensitive patient data. The alleged failures resulted in the exposure and potential theft of patient data, which has put affected patients at an increased risk of suffering identity theft and medical identity theft. Patients have had to expend money to protect their identities, and must continue to expend in the future, monitor their financial accounts, health insurance accounts, and credit files as a consequence of the data breach.

Elliott and members of the class action lawsuit seek a jury trial, unspecified monetary relief for punitive damages, reimbursement of expenses, restitution and disgorgement, and legal fees.

The lawsuit is one of several to be recently filed against healthcare providers that have suffered ransomware attacks. A class action lawsuit was recently filed against Attleboro, MA-based Sturdy Memorial Hospital over a February 2021 ransomware attack in which the PHI of 35,271 patients was potentially compromised. In that attack, the hospital paid the ransom to recover the encrypted data and prevent it being published or sold. 2 years of credit monitoring services were offered to affected patients, but the lawsuit seeks extended cover as well as unspecified damages and attorneys’ fees.

Two individuals affected by the recently disclosed ransomware attack on DuPage Medical Group have also filed a lawsuit that seeks class action status and unspecified damages. The ransomware attack occurred in mid-July and the systems compromised in the attack contained the protected health information of 655,384 individuals.

The post Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients appeared first on HIPAA Journal.

Patients Sue DuPage Medical Group over July 2021 Ransomware Attack

Posted by HIPAA Journal

Two DuPage Medical Group patients are taking legal action against the healthcare provider following a July 2021 ransomware attack in which patients’ protected health information was exposed.

DuPage Medical Group suffered the ransomware attack in mid-July. The forensic investigation determined unauthorized individuals had gained access to its computer network between July 12 and July 13, and deployed ransomware in an attempt to extort money. The attack caused a major computer and phone outage that lasted around a week.

On August 17, the forensic investigators confirmed hackers had gained access to parts of the computer network that contained the protected health information of 655,384 patients, and potentially viewed or obtained patient names, addresses, dates of birth, diagnosis codes, medical procedure codes, and treatment dates. Some Social Security numbers may also have been compromised.

Notification letters started to be sent to affected patients in late August. At the time of issuing notifications, DuPage Medical Group said it was unaware of any actual or attempted misuse of patient data, although the possibility could not be ruled out. Free credit monitoring and identity theft protection services have been offered to affected patients.

The lawsuit was filed in DuPage County Circuit Court on behalf of Rochelle Hestrup and Erin Peiss on September 1, 2021, just a few days after the healthcare provider mailed notification letters to patients. The lawsuit alleges DuPage Medical Group was negligent for not implementing appropriate defenses to protect against ransomware attacks and that it failed to monitor its computer network and systems containing patient information. The lawsuit also alleges DuPage Medical Group did not notify patients quickly enough, even though notification letters were mailed well inside the 60-day deadline of the HIPAA Breach Notification Rule.

The lawsuit alleges, “As a direct result of the data breach, plaintiffs and class members have been exposed to a heightened and imminent risk of fraud and identity theft.” The lawsuit seeks class action status and the plaintiffs are seeking damages, reimbursement of out-of-pocket expenses, and require DuPage Medical Group to make improvements to its security systems to better protect sensitive patient data.

“We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises,” said DuPage Medical Group in a statement to the Chicago Tribune.

The post Patients Sue DuPage Medical Group over July 2021 Ransomware Attack appeared first on HIPAA Journal.

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making the maximum time for providing records 60 days from the date the written request for access is received.

When individuals feel their HIPAA rights have been violated, they cannot take legal action against a HIPAA-covered entity for a HIPAA violation, but they can file a complaint with OCR. In this case, OCR received a complaint from a parent who alleged CHMC had not provided her with timely access to her minor daughter’s medical records.

CHMC received the parent’s request and provided some of her with some of her daughter’s medical records but did not provide all the requested information. The parent also made several follow-up requests to CHMC. OCR investigated and confirmed the parent requested a copy of her late daughter’s medical records in writing on January 3, 2020. Some of the requested records were provided; however, the remainder of the records needed to be obtained from a different CHMC division. Some of the remaining records were provided on June 20, 2020, with the rest provided on July 16, 2020. OCR determined this was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b).

In addition to the financial penalty, CHMC must review and update its policies and procedures related to the HIPAA Right of Access, provide the policies to OCR for assessment, and distribute the approved policies to the workforce and ensure training is provided.

“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

The post OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative appeared first on HIPAA Journal.

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

Posted by HIPAA Journal

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to sent notifications to the HHS’ Office for Civil Rights (OCR) about data breaches, but healthcare organizations are also required to comply with state data breach notification laws.

Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified.

Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health information of California residents has likely been compromised in the attack.

California Attorney General Rob Bonta has recently issued a bulletin reminding all entities that house the confidential health-related information of California residents of their data breach reporting responsibilities under California law (Civil Code section 1798.82). Whenever there has been a breach of the health data of 500 or more California residents, a breach report must be submitted to the Office of the Attorney General. The California DOJ then publishes the breach notice on its website to ensure the public is made aware of the breach to allow victims to take appropriate action to protect themselves against identity theft and fraud. Individual notifications must also be issued to affected individuals.

“Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data,” said Attorney General Bonta. “Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for ransomware attacks and to meet their health data breach notification obligations to protect the public.”

In the bulletin, Attorney General Bonta also urged healthcare organizations to take proactive steps to protect patient data against ransomware attacks.

“State and federal health data privacy frameworks, like the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), obligate healthcare entities and organizations that deal in health data to establish appropriate procedures to ensure the confidentiality of health-related information, including security measures that can help prevent the introduction of malware, including ransomware, to protect consumers’ healthcare-related information from unauthorized use and disclosure,” explained AG Bonta.

Healthcare organizations are encouraged to take the following proactive steps:

  • Keep operating systems and software housing health data current
  • Apply security patches promptly
  • Install and maintain antivirus software
  • Provide regular data security training to employees, including education about phishing attacks
  • Restrict users from downloading, installing, and running unapproved software
  • Maintain and regularly test the data backup and recovery plan for all critical information 

The post California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents appeared first on HIPAA Journal.

30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI

Posted by HIPAA Journal

The U.S. Department of Justice has announced a Texas woman has been sentenced by a federal court in the Eastern District of Texas to serve 30 months in federal prison for conspiring to obtain protected health information from a protected computer.

Amanda Lowry, 40, or Sherman, TX, was a member of a fraud ring that used stolen protected health information to create fraudulent physician orders. The proceeds from the sale of the data were used to purchase a range of luxury items.

Lowry, along with co-conspirators Demetrius Cervantes and Lydia Henslee, were named in a federal indictment on Sept. 11, 2019. The three defendants were charged with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification. Lowry pleaded guilty to the charges on December 4, 2020.

According to court documents, the defendants are alleged to have accessed a healthcare provider’s electronic health record system to steal the personal and protected health information of patients. The stolen data were repackaged as false and fraudulent physician orders, which were then sold to durable medical equipment providers and contractors. The proceeds from the sale of the data were used to purchase items such as off-road vehicles, jet skis, and sport utility vehicles. The defendants were paid around $1.4 million from the sale of the data.

Demetrius Cervantes of McKinney, TX, was sentenced to serve 48 months in jail on July 8, 2021 for his role in the fraud ring after pleading guilty to the charges. Henslee also pleaded guilty to the charges on March 25, 2021 and is awaiting sentencing. Henslee was also named in a separate indictment along with three men from Florida, who have been charged with conspiracy to commit illegal remunerations.

“Today’s sentence is another example of the Eastern District’s commitment to vigorously defending protected health information and prosecuting those who exploit such information for their personal gain,” said Acting U.S. Attorney Nicholas J. Ganjei.  “The defendant’s actions not only compromised victims’ sensitive information, exposing them to fraudulent schemes; but, also ultimately resulted in unnecessary costs to federal healthcare programs.”

The post 30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI appeared first on HIPAA Journal.