Legal News

Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed

Posted by HIPAA Journal

Plaintiffs in a class action lawsuit against Blackbaud sufficiently demonstrated they have standing, and the lawsuit has survived Blackbaud’s motion to dismiss.

Blackbaud is a publicly traded cloud software company with headquarters in Charleston, SC. Blackbaud provides data collection and maintenance solutions for administration, fundraising, marketing, and analytics to entities such as non-profit organizations, foundations, educational institutions, and healthcare organizations. In the course of providing its services, the company collects and stores personally identifiable information (PII) and Protected Health Information (PHI) from its customers’ donors, patients, students, and congregants.

From February 7, 2020 to May 20, 2020, cybercriminals gained access to Blackbaud’s systems, exfiltrated data, and then used ransomware to encrypt files on Blackbaud’s systems. A ransom demand was then issued by the attackers and the attackers claimed they would provide the keys to decrypt data on Blackbaud’s systems and permanently delete the data they had exfiltrated if the ransom was paid. Blackbaud decided to pay the ransom and received assurances that the stolen files had been deleted.

Following the attack, more than two dozen class action lawsuits were filed against Blackbaud. In December, the Judicial Panel on Multidistrict Litigation combined the lawsuits and, as of Thursday 1, 2021, there were 28 class action lawsuits combined in the Multidistrict Litigation with 34 named plaintiffs from 20 states. The plaintiffs assert six claims on behalf of a putative nationwide class and ninety-one statutory claims on behalf of putative state subclasses. The six types of injury the plaintiffs assert are identity theft or fraud, increased risk of identity theft in the future, time and money spent to mitigate the risk of harm, emotional distress, diminished value of data, and invasion of privacy.

The plaintiffs alleged the data breach was the result of Blackbaud’s “deficient security program” and that the company had failed to comply with industry and regulatory standards by neglecting to mitigate against the risk of unauthorized data access. The plaintiffs claimed Blackbaud was utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.

The plaintiffs also claimed that Blackbaud only conducted a narrow internal investigation following the data breach, did not address the full scope of the attack, and downplayed the attack and the extent of the data exposed. The plaintiffs claimed the Forensic Report “improperly concludes that no credit card data was exfiltrated” because “such data could have existed in the unexamined database files.”

They also claim that timely and adequate notice about the attack was not provided, with the company waiting until July 2020 to start issuing notifications, with some individuals affected by the breach not being notified by Blackbaud’s customers until January 2021.

On May 1, 2021, Blackbaud filed a motion to dismiss the lawsuit for lack of subject matter jurisdiction. The company argued that the plaintiffs lacked Article III standing as they neither facially nor factually established that their injuries are traceable to Blackbaud’s conduct; therefore, the court lacked subject matter jurisdiction. Blackbaud also challenged whether the plaintiffs’ allegations of harm constitute injury in fact, although that challenge was later dropped.

U.S. District Judge J. Michelle Childs in Columbia, SC said in her decision on July 1, 2021, that the factual challenge to standing would not be considered because it “involves facts that are intertwined with the merits of plaintiffs’ claims.”

The facial challenge to determine whether plaintiffs allege facts that plausibly confer jurisdiction was considered, with Judge Childs concluding the plaintiffs had sufficiently alleged Blackbaud was a “plausible source” of their personal information and that there was a “plausible connection” between the types of data they alleged were compromised and the injuries they had sustained, saying “it is premature to dismiss Plaintiffs’ claims on grounds of traceability at this stage.” Blackbaud’s motion to dismiss for lack of subject matter jurisdiction was denied.

The post Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed appeared first on HIPAA Journal.

Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA

Posted by HIPAA Journal

A lawsuit has been filed against Amazon by four healthcare workers who allege their Amazon Alexa devices may have recorded conversations without their intent or consent and may have captured health information protected under HIPAA.

Amazon Alexa devices listen for words that wake up the devices and triggers them to start recording. Specifically, the devices listen for the word “Alexa,” and will then attempt to answer a question that is asked. However, the plaintiffs claim that there are other words and phrases will awaken the devices and trigger them to start recording when it is not intended by users of the devices.

The lawsuit cites a study conducted at Northeastern University which showed the devices wake up and record in response to statements such as “I care about,” “I messed up,” and “I got something.” The study also found that the devices wake up and record in response to the words “head coach,” “pickle”, and “I’m sorry.”

The plaintiffs allege “Amazon’s conduct in surreptitiously recording consumers has violated federal and state wiretapping, privacy, and consumer protection laws,” and state, “Despite Alexa’s built-in listening and recording functionalities, Amazon failed to disclose that it makes, stores, analyzes and uses recordings of these interactions at the time plaintiffs’ and putative class members’ purchased their Alexa devices.”

All four plaintiffs said they stopped using their devices altogether or purchased newer models that had a mute function out of concern that the devices may be recording sensitive information.

Amazon announced in 2019 that it would ensure that any transcripts would be deleted from Alexa servers when customers delete voice recordings. The following year Amazon said customers could opt out of human annotation of transcribed data, could configure the devices to automatically delete voice recordings older that 3 or 18 months, or could opt out entirely and not have their recordings saved at all.

The plaintiffs allege that by that time, Amazon analysts may have already listened to recordings that included protected health information. They also claimed that had Amazon informed them that the company permanently stored data or that its employees listened to recordings, they would not have purchased the devices.

Amazon said only a fraction of one percent of voice recordings are reviewed by its staff and that “Our annotation process does not associate voice recordings with any customer identifiable information.”

The post Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA appeared first on HIPAA Journal.

BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss

Posted by HIPAA Journal

A class action lawsuit filed by two former patients against BJC HealthCare over a March 2020 email data breach has survived two motions to dismiss.

Leaha Sweet and Bradley Dean Taylor took legal action against St. Louis-based BJC HealthCare in September 2020 after being notified that their protected health information had potentially been compromised in a data breach.

BJC HealthCare had discovered the email accounts of three of its employees had been accessed by unauthorized individuals. The email accounts contained a range of sensitive patient data including Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, patient account numbers, and treatment and clinical information.

The lawsuit listed 10 counts against the defendants: Unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, invasion of privacy, vicarious liability, bailment, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

The defendants – BJC HealthCare and BJC Collaborative, LLC – filed two separate motions to dismiss, arguing that the United States District Court for the Southern District of Illinois lacked personal jurisdiction over BJC HealthCare, that the plaintiffs failed to allege an injury sufficient to confer standing, that the compliant should be dismissed in its entirety for failure to state a claim, and that individual counts should be dismissed for the failure to state a claim.

In a June 29, 2021 order, Chief Judge Nancy J. Rosentengel dismissed the invasion of privacy claim as Illinois law states that the party alleging an invasion of privacy must demonstrate the act was intentional. The plaintiffs were unable to prove that was the case. The claim of bailment was also dismissed as the plaintiffs did not allege that they sought a return of their property (their protected health information) or that the health system had failed to return it.

The lawsuit will now proceed and BJC Healthcare must face the remaining 8 counts.

The post BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss appeared first on HIPAA Journal.

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019.

The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers.

Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed.

Providers were also affected by the breach and had names, dates of birth, Social Security numbers, and/or taxpayer identification numbers exposed. Dominion National did not find evidence that the individuals behind the cyberattack had acquired or misused the data of members. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 2 years.

Shortly after announcing the data breach and issuing notification letters to affected individuals, a class action lawsuit – Abubaker v. Dominion Dental USA, Inc. et al. – was filed in the United States District Court, Eastern District of Virginia against Dominion National (Dominion Dental USA, Inc., Dominion Dental Services USA, Inc., Dominion National Insurance Company, Dominion Dental Services of New Jersey, Inc., and Dominion Dental Services, Inc.) and Avalon Insurance Company, Capital Advantage Insurance, Capital BlueCross, and Providence Health Plan.

The plaintiffs alleged the defendants were negligent for failing to adequately protect servers and databases and for not detecting the presence of the hackers in systems for 9 years. As a result of those failures, individuals have been placed at a significant risk of identity theft and fraud.

Under the terms of the proposed settlement, class members will be entitled to submit a claim for losses and out-of-pocket expenses incurred in relation to the data breach. Claims can be submitted for ordinary losses up to $300 to cover out-of-pocket expenses and fees for credit reports and credit monitoring between August 14, 2019, and July 19, 2021. Up to $100 can also be claimed for time lost responding to the security incident.

Dominion National will also be accepting claims for extraordinary losses up to $7,500 per person for actual, documented, and unreimbursed monetary losses that are fairly and reasonably traceable to the data breach.

A cap of $2 million has been placed on claims for ordinary and extraordinary losses. If the claims total exceeds $2 million, claims will be paid pro rata. The exclusion deadline is October 2, 2021, the objection deadline is October 2, 2021, and the deadline for submitting claims is January 15, 2022. A fairness hearing has been scheduled for November 19, 2021.

Dominion National will also be covering the costs of settlement administration, court-approved attorneys’ fees and expenses, and service awards for named plaintiffs. Additional security measures have also been implemented to improve security, which have cost Dominion National approximately $2,679,500.

The post Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

Posted by HIPAA Journal

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated.

The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor.

In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the 14th Amendment. The district court dismissed Payne’s claims, but the decision was appealed.

The Court of Appeals for the Fourth Circuit affirmed the decision of the district court and confirmed there was no private cause of action under HIPAA. The court also affirmed the decision of the district court to dismiss the claim of a violation of the 14th Amendment.

In the decision, the Court of Appeals said the violation of the 14th Amendment hinged on whether Payne had “a reasonable expectation of privacy” with regards to information about his HIV medications. Since Payne was a Deep Meadow Correctional Center prisoner, the court ruled that Payne lacked a reasonable expectation of privacy concerning his diagnosis and treatment plan, especially since the information was about a communicable disease.

The court ruled that the test in such cases is whether there is a compelling government interest that outweighs the plaintiff’s privacy interest. The ruling suggests there may be a cause of action under the 14th Amendment where there has been a disclosure of private medical information and no compelling government interest.

The post No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation appeared first on HIPAA Journal.

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

Posted by HIPAA Journal

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail.

The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered.

A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no need to do so to fulfil his role as a doctor and hospital employee. Alsughayer’s legal team filed a motion to dismiss the lawsuit on June 1, 2021 “”on the grounds that there does not exist probable cause to believe the defendant committed the offense(s) charged therein.”

Allegations had previously been made against Alsughayer in three lawsuits, the latest of which was filed against Alsughayer and Mayo Clinic on May 29, 2021. In December 2020, a female patient, named as K.M.M in the lawsuit, contacted Rochester police after receiving a breach notification letter from Mayo Clinic.

She had learned that her medical records had been accessed by a hospital worker, which included nude images that were taken on three separate occasions. After requesting to view her medical records, the woman discovered the dates of inappropriate access coincided with the dates that the images were taken. She alleged the hospital employee referred to in the breach notification letter had accessed her medical records specifically to view her nude images.

According to the lawsuit, the doctor “was at an off-campus, private location” when her medical records were accessed and “Alsughayer did not need photographic images of plaintiff’s breasts and genitals to do his job.” A court hearing has been scheduled in August.

In addition to that lawsuit, two class action lawsuits had already been filed in Olmsted County Court in connection to the breach. Amanda Bloxton-Kippola (MI) and Chelsea Turner (MN) are named as the plaintiffs in one of those lawsuits against Alsughayer and Mayo Clinic, with the second lawsuit naming Olga Ryabchuk (MN) as the plaintiff and John Doe and Mayo Clinic as defendants. One of the lawsuits alleges medical records accessed that included nude photographs taken by Mayo Clinic as part of the healthcare services provided. Both lawsuits have been scheduled for trial next year.

The post Former Mayo Clinic Doctor Charged Over Improper Medical Record Access appeared first on HIPAA Journal.

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

Posted by HIPAA Journal

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend.

Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties.

Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so.

Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed.

Bacor took a photograph of a medical image that showed injuries sustained by her ex-boyfriend and sent the photo to a third party. The third party subsequently sent the image to other individuals via Facebook Messenger, including taunting language and emojis with the image. Bacor was also found to have stated in social media chats with another person that she was attempting to get primary custody of the two children she had with her ex-boyfriend.

After learning about the privacy breach, the ex-boyfriend filed a complaint with the hospital on October 4, 2017 alleging Bacor had accessed his medical records without authorization and provided the photo to the hospital. The hospital conducted an investigation into the privacy breach and confirmed Bacor had accessed his medical records on 10 occasions. Bacor was initially suspended, then fired for the HIPAA violation.

In August 2020, Bacor admitted to law enforcement officers that she had violated federal privacy laws in an attempt to protect her children. Bacor entered into a plea arrangement and pleaded guilty to one count of wrongfully obtaining individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams said Bacor had “weaponized” her ex-boyfriend’s private medical information by sending it to others and sentenced her to 5 months’ probation and fined her $1,000. Bacor has also been prohibited from working in any job that requires her to have access to the private medical records of others.

The post Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation appeared first on HIPAA Journal.

Scripps Health Facing Multiple Class Action Lawsuits over Ransomware Attack

Posted by HIPAA Journal

San Diego-based Scripps Health is facing multiple class action lawsuits over an April 29, 2021 ransomware attack that affected 147,267 individuals. The attack forced the 5-hospital healthcare system to take systems offline while the attack was remediated, including its patient portal. While care continued to be provided, some patients were diverted to other facilities as a precaution.

The investigation into the breach confirmed that prior to the deployment of ransomware the attacker exfiltrated documents that contained patients’ protected health information. Information compromised in the attack included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, dates of service, and/or treatment information.

A lawsuit was filed on June 1 in the San Diego County Superior Court that named Kenneth Garcia as plaintiff. The lawsuit, which seeks class action status, alleges Scripps Health was negligent for failing to prevent the theft of protected health information, which was stored on Scripps Health systems in unencrypted form. The lawsuit alleges the plaintiff suffered damages from the unauthorized release of his individually identifiable medical information. In addition to monetary damages, the lawsuit requires Scripps Health to implement appropriate security protocols to protect patient data in the future.

A second lawsuit was filed on June 7 in the San Diego County Superior Court that names Johnny Corning as plaintiff. The lawsuit also seeks class action status and alleges Scripps Health was negligent for failing to take appropriate steps to keep patients’ protected health information secure. The lawsuit alleges Scripps Health should have been aware of the risk of an attack given the number of reported attacks over the past 2 years. Scripps Health should also have been aware of the high risk of an attack as the Federal Bureau of Investigation had issued alerts warning of ongoing ransomware attacks on hospitals.

In order for lawsuits of this nature to succeed, it is necessary to establish harm has been suffered. Conning alleges harm was caused as a result of him not being unable to access the MyScripps portal, which contained important information related to his treatment. He alleges he incurred anxiety restarting his medical services and online medical classes and spent a considerable amount of time verifying the legitimacy of the security breach, monitoring his medical records for identity theft, and checking his financial accounts for misuse of his data. Both lawsuits allege financial losses were suffered and the plaintiffs face an elevated risk of identity theft and fraud. The lawsuits seek monetary damages of at least $1,000 per victim and the Conning lawsuit seeking actual damages of up to $3,000 per victim, along with reimbursement for legal costs.

A further two class action lawsuits were filed in federal court on June 21, one naming patients Michael Rubenstein and Richard Machado as plaintiffs and the other naming Kate Rasmuzzen as plaintiff. Michael Rubenstein alleges his health suffered as a result of not being able to access the patient portal. Without access to the portal, he said he had to visit a Scripps Health hematology clinic and beg a nurse to provide for him his lab orders and was unable to determine if the timing of the doses of his medication was correct. Richard Machado claimed to have had highly sensitive information about a very personal surgery exposed and has caused him great concern. Like the lawsuits naming Corning and Garcia as plaintiffs, the Rasmuzzen lawsuit is focused on the costs incurred as a result of the attack and the potential for misuse of their personal data.

The lawsuits vary in terms of specificity, although they make the same basic claim, that Scripps Health was negligent for failing to prevent the attack and stop the theft of sensitive information and for the invasion of privacy. While evidence of harm must be provided in all four lawsuits for standing, the bar is set lower in Californian court than in federal court.

While the data breach affected 147,267 individuals, Scripps Health said fewer than 3,700 individuals had either their Social Security number or driver’s license number compromised, and that highly sensitive information contained in electronic medical records was not compromised. Individuals whose Social Security number or driver’s license number was compromised have been offered complimentary credit monitoring services for 12 months.

The post Scripps Health Facing Multiple Class Action Lawsuits over Ransomware Attack appeared first on HIPAA Journal.

Colorado Privacy Act Passed and Signed into Law

Posted by HIPAA Journal

Colorado has joined California and Virginia in passing a comprehensive data privacy law to protect state residents. It has taken several amendments to get the Colorado Privacy Act over the line, but the Act was finally passed unanimously by the state Senate on June 8, 2021. On July 7, 2021, Colorado Governor Jared Polis signed the bill, which will now take effect on July 1, 2023.

The Colorado Privacy Act applies to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers.

Exceptions include protected health information collected, processed, or stored by HIPAA-covered entities and their business associates, and any personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), data regulated by the Children’s Online Privacy Protection Act of 1998 (COPPA), and individual[s] acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

The Colorado Privacy Act gives Colorado resident consumers five rights over their personal data.

  • The right to opt out of the processing of personal data for targeted advertising purposes, the sale of their personal data, and automated profiling in furtherance of decisions that produce legal or similarly significant effects.
  • The right to access their personal data held by a data controller.
  • The right to make corrections to their personal data if inaccuracies are identified.
  • The right to have their personal data deleted.
  • The right to have their data provided in a portable and ready to use format.

All entities covered by the Colorado Privacy Act have responsibilities with respect to the data they collect and process.

  • Transparency – Consumers must be notified about the reason for the collection and processing of personal data. If personal data is sold or used for targeted advertising, consumers must be informed. Data controllers must not require consumers to create a new account to exercise one of their rights, nor increase the cost or decrease availability based on the exercising of a consumer right.
  • Purpose of collection – Consumers must be informed about the specific purposes for which personal data is being collected and processed.
  • Data minimization – The personal data collected and processed must be limited to what is reasonably necessary to achieve the purpose for data collection and processing.
  • Secondary data uses – Secondary data uses must be avoided if they are not compatible with the purpose for data collection and the consent provided by consumers.
  • Data security – Data controllers must ensure personal data is secured to prevent unauthorized access.
  • Unlawful discrimination – Data collected and processed must not violate federal anti-discrimination laws.
  • Sensitive data – Sensitive data such as information related to ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship status, genetic/biometric data, and the personal data of minors – can only be collected and processed if consumers provide their consent through an opt-in process.
  • Contracts with processors – A data controller is required to enter into a contract with a data processor, with the contract stating the processor’s responsibilities under the Colorado Privacy Act.
  • Data protection assessments – A data protection assessment must be conducted prior to any processing activities that have a heightened risk of harm to consumers.

The Colorado Privacy Act is due to take effect on July 1, 2023. One year after the effective date on July 1, 2024, data controllers are required to allow consumers to opt out of the processing of their personal data for targeted advertising or the sale of their data, via a user-selected universal opt-out mechanism.

If any of the provisions of the Colorado Privacy Act are violated, the violation will be considered a deceptive trade practice. Only the state Attorney General and district attorneys permitted to take action against entities for violations.

The post Colorado Privacy Act Passed and Signed into Law appeared first on HIPAA Journal.