The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual.

Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area.

The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information.

Patients affected by the breach were notified by mail starting October 9, 2020 while the incident was still being investigated, then further notifications were sent to patients between January 21 and February 8, 2021 when it became clear that more individuals had been affected.

Following the breach, the health system implemented additional security measures to prevent further breaches and retrained the workforce on how to identify suspicious emails. Individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed by law firm Morgan & Morgan with Einstein Healthcare patient Nanette Katz of Blue Bell, PA named as lead plaintiff.  The lawsuit alleges Einstein Healthcare failed to secure and safeguard the protected health information of patients and had not implemented or followed basic security procedures. As a result of that negligence, the lawsuit alleges sensitive patient information is now in the hands of cybercriminals and patients now face a substantial risk of identity theft. As a result of the breach, patients have had to spend, and will continue to have to spend, a significant amount of time and money protecting themselves against identity theft and fraud.

The lawsuit also alleges the healthcare provider failed to provide timely notifications to patients, with the lead plaintiff first receiving notification about the breach in January 2021, more than 6 months after the breach and alleged theft of her PHI. The lawsuit says the breach response was “untimely and woefully deficient, failing to provide basic details concerning the data breach.”

The lawsuit seeks monetary damages for the patient and class members, requests the courts order the health system to fully disclose details of the nature and extent of data compromised, and requires the health system to implement reasonably sufficient safeguards to prevent further data breaches in the future.

It is now relatively common for patients affected by data breaches to take legal action when their personal and protected health information is exposed or stolen; however, for these cases to succeed, victims of the data breach generally need to provide evidence that they have suffered harm. Many lawsuits are dismissed as the claims are deemed too speculative.

The nature of the harm and injuries suffered must also be sufficient to warrant damages. A recent lawsuit filed by a victim of an Envision Healthcare data breach – Pruchnicki v. Envision Healthcare Corp.- has recently been dismissed by the U.S. Court of Appeals for the Ninth Circuit.

In that case, the alleged harm and injuries were for time spent dealing with the breach, stress, nuisance, and annoyance from dealing with the aftereffects of the breach, worry, anxiety, and hesitation when applying for new credit cards, imminent and impending injury of potential fraud and identity theft, and diminution in value of the plaintiffs personal and financial information. The allegations of harm were sufficient for the District Court for standing purposes but were insufficient for compensable damages to be awarded.

The post Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack appeared first on HIPAA Journal.

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients.

The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018.

The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured.

Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit had been made public or further disclosed. To prevent similar incidents from occurring in the future, Adventist Health reviewed and updated its policies and procedures to ensure that physical patient records were properly safeguarded and were disposed of securely when the paperwork was no longer required.

The breach was investigated by the Consumer and Environmental Protection Unit of the Ventura County District Attorney’s Office, which determined Adventist Health had violated California Unfair Competition Law as the healthcare provider had failed to protect patient privacy, had not reasonably maintained and safeguarded medical data, and had failed to correctly dispose of confidential information.

The post Adventist Health Physicians Network Fined $40,000 for Privacy Breach appeared first on HIPAA Journal.

Roper St Francis Healthcare is facing a class action lawsuit over an October 2020 data breach in which patient data was allegedly stolen. The lawsuit alleges negligence for the failure to protect the private data of its patients.

Between October 14 and 29, 2020, unauthorized individuals gained access to the email accounts of three of its employees. Those accounts contained the protected health information of around 190,000 patients. PHI in the compromised email accounts included financial and medical information.

This was far from the only data breach to have affected Roper St. Francis Healthcare in the past 18 months. Prior to the October 2020 phishing attack, Roper St. Francis reported two data breaches in September, one of which was a phishing attack that affected 6,000 individuals and the other was a ransomware attack on its vendor Blackbaud, which affected around 92,963 Roper St. Francis patients. Prior to those breaches, a breach was reported on January 29, 2010 as affecting 35,253 individuals.

According to the lawsuit, “At all relevant times, Roper knew the data it stored was vulnerable to cyberattack based upon these repeated and ongoing data breaches.”

The lawsuit, which was filed by The Richter Firm, The Solomon Law Group, Slotchiver & Slotchiver, LLC and Brent Souther Halversen, LLC, seeks economic and non-economic damages for the plaintiff and class members, compensatory, consequential, and actual damages, statutory and injunctive relief, punitive damages, and reimbursement for interest, costs, and reasonable attorneys’ fees.

“We merely seek to hold Roper accountable for its continued negligent actions in allowing these preventable data breaches from happening and to compensate current and former patients for the harm inflicted,” said Attorney Brent Halversen. “We seek to provide all patients whose private data was compromised credit monitoring services as partial compensation for the harm each has suffered, not just the hand full that Roper thinks are the worst cases.”

The post Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims.

Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing.

In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined.

Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank, pre-signed prescriptions for controlled substances and providing the drugs without any involvement from physicians.

Two coconspirators – Dr. Mark Gibbs and Dr. Laila Hirjee – were paid $150 for each false order they signed and would regularly certify that hospice patients had terminal illnesses with a life expectancy of 6 months or less, without having conducted any examinations. Dr. Gibbs, Dr. Hirjee, and a third physician, Dr. Charles Leach, provided blank prescriptions for controlled substances which allowed Harris to prescribe schedule II-controlled substances to Medicare and Medicaid beneficiaries in the hospice without guidance from a medical professional.

Harris also violated the Health Insurance Portability and Accountability Act (HIPAA) Rules when he accessed the medical records of patients to identify individuals who could be contacted and offered Novus hospice services. In the summer of 2014, Harris negotiated an agreement with Express Medical which allowed him to access the medical records of potential patients in return for using the company for lab services and home health visits. Previous patients of Express Medical were then contacted by Harris’s wife and other hospice staff to recruit them, regardless of whether they were actually eligible for hospice services. This allowed Harris to recruit new hospice patients to avoid exceeding Medicare’s aggregate hospice cap.

The HHS’ Centers for Medicare and Medicaid Services received multiple reports of potential fraud and suspended Novus; however, Harris then transferred patients from Novus to a new hospice company, which then transferred reimbursements for hospice services back to Novus. Dr. Gibbs was registered as the medical director of the new hospice company.

Harris is scheduled to be sentenced on August 3, 2021 and faces up to 14 years in jail. The trial of Dr. Gibbs, Dr. Hirjee and two other coconspirators is scheduled for April 5, 2021. 10 codefendants have already pleaded guilty and are awaiting sentencing for their roles in the scam. Dr. Charles Leach previously pleaded guilty to one count of conspiracy to commit healthcare fraud in 2018, for his role in the $60 million fraud case. According to court documents, the blank prescriptions Dr. Leach signed were used to obtain controlled substances, high doses of which were then administered to patients by nurses to hasten their deaths.

“The Justice Department cannot allow unscrupulous business people to interfere with the practice of medicine. We are determined to root out healthcare fraud,” said Acting U.S. Attorney Prerak Shah. “We will continue to work tirelessly with our state and federal partners to hold those who commit health care fraud accountable and seek justice for patients that are harmed in furtherance of fraud schemes,” said FBI Dallas Special Agent in Charge Matthew DeSarno.

The post Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access appeared first on HIPAA Journal.