Legal News

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

Posted by HIPAA Journal

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals.

21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016.

The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in December 2017 with no admission of liability and agreed to pay a $2.3 million penalty.

The class action lawsuit sought compensation for breach victims who suffered losses as a result of the breach, including reimbursement of out-of-pocket expenses, time spent attempting to remedy issues, and losses to identity theft and fraud.

Under the terms of the proposed settlement, all victims of the breach will be entitled to claim two years of credit monitoring and identity theft protection services through Total Identity, which may be deferred for up to two years.

In addition, the 21st Century Oncology settlement will see breach victims reimbursed for default time spent remedying issues fairly traceable to the data breach, which is based on two hours at $20 per hour up to a maximum of $40. Alternatively, a claim can be made for documented time spent, up to 13 hours at $20 per hour to a maximum of $260.

Any individual who can provide proof of out-of-pocket expenses incurred as a result of the breach or documented fraud will be entitled to submit a claim up to $10,000.

All individuals notified about the breach in or around March 2016 are covered by the settlement and can submit a claim. The deadline for claiming is May 10, 2021. Any class member who wishes to object or exclude themselves from the settlement have until March 9, 2021 to do so.

While the court has granted preliminary approval of the settlement, final approval has not yet been granted. A fairness hearing has been scheduled for June 15, 2021.

The post 21st Century Oncology Data Breach Settlement Receives Preliminary Approval appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

Posted by HIPAA Journal

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals.

US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information.

The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information.

The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures which caused them to suffer irreparable harm and placed them at an increased risk of identity theft and fraud.

The harm suffered by the breach victims that the lawsuit seeks to address includes the theft of personal data and its exposure to cybercriminals, unauthorized charges on credit/debit card accounts, costs associated with the detection and prevention of identity theft and unauthorized use of financial accounts, damages due to accounts being suspended or rendered unusable, inability to withdraw funds, costs and time associated with mitigating the breach and preventing future negative consequences, and imminent and impending injury from potential fraud and identity theft as a result of personal information being sold on the dark web.

Class action lawsuits often allege harm, although in many cases the lawsuits fail as the plaintiffs are unable to provide evidence of injuries or losses sustained as a direct result of the data breach. That was the case with the proposed class action lawsuit against Brandywine Urology, which was recently dismissed by the Delaware Superior Court. Whether the lawsuit succeeds is likely to depend to a large extent on whether the plaintiffs can provide sufficient evidence that they have suffered actual harm due to the ransomware attack and data breach.

Plaintiff Alec Vinsant alleges someone used his Social Security number to fraudulently apply for unemployment benefits in Nevada one month after the data breach occurred and plaintiff Marla Vinsant said her credit score had unexpectedly fallen by 50 points following the attack.

The lawsuit alleges US Fertility was on notice that the healthcare industry was being targeted by ransomware gangs and was aware of the need to encrypt data, yet failed to do so, and US Fertility failed to comply with Federal Trade Commission requirements for data security. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and violations of the Nevada Deceptive Trade Practices Act.

The lawsuit seeks class action status, a jury trial, damages for plaintiffs and class members, reimbursement of out-of-pocket expenses and legal costs, and other relief. The lawsuit also requires US Fertility to implement proper data security policies and practices including encryption of sensitive data, deletion or destruction of class members PII, proper network segmentation, penetration tests, to provide further security awareness training for the entire workforce, and to undergo third-party security audits, database scanning, and firewall tests.

The post Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack appeared first on HIPAA Journal.

Hospital Researcher Jailed for Stealing and Selling Research Data to China

Posted by HIPAA Journal

A woman who worked in a medical research lab at the Nationwide Children’s Hospital in Columbus, OH has been jailed for stealing sensitive research data and selling the information to the People’s Republic of China.

Li Chen, 47, and her husband Yu Zhou, 50, were both employed as medical researchers and worked in separate labs at the hospital’s Research Institute for more than 10 years. The former Dublin, OH residents were arrested in California in July 2019 and were subsequently charged over the alleged theft of cutting-edge scientific research.

Zhou was working on a novel technique that allowed exosomes to be isolated from small quantities of blood. Exosomes are used in the research, identification, and treatment of several medical conditions, such as necrotizing enterocolitis. The novel exosome isolation method was a vital process in the research into necrotizing enterocolitis, as the condition affects premature babies and only small blood samples can be taken safely.

The couple set up a company in China, stole at least five trade secrets related to exosome isolation, and then monetized the trade secrets by creating and selling exosome isolation kits. They then provided them to China and received benefits from the State Administration of Foreign Expert Affairs and the National Natural Science Foundation of China. Chen also applied to several government talent plans in China, which are used to transfer foreign research and technology to the Chinese government.

“For far too long, the People’s Republic of China (PRC) has encouraged the outright theft of American trade secrets through Chinese government programs that reward researchers for stealing what China cannot produce through its own ingenuity,” said Assistant Attorney General John C. Demers for the National Security Division. “These programs, like the Thousand Talents, are not innocuous platforms for academic collaboration.”

In July 2020, Chen pleaded guilty to conspiracy to commit wire fraud and the theft of scientific trade secrets for personal financial gain. Chen was recently sentenced to a 30-month jail term and, as part of her plea deal, agreed to pay $2.6 million in restitution, and forfeit around $1.4 million, 500,000 shares of common stock of Avalon GloboCare Corp. and 400 shares of common stock of GenExosome Technologies Inc. Zhou also pleaded guilty to conspiracy to commit wire fraud and is currently awaiting sentencing.

“The FBI will not stop its efforts to identify people who steal technology for their own financial benefit or for the benefit of a foreign government,” said Assistant Director Alan E. Kohler Jr. of the FBI’s Counterintelligence Division.

Chinese Government Targeting Health and Genetic Data of U.S. Citizens

China is not only trying to obtain sensitive medical research data. The National Counterintelligence and Security Center (NCSC) has recently drawn attention to efforts by China to obtain the healthcare data and DNA sets of Americans through cyberattacks, and partnerships between Chinese companies and U.S. states and healthcare organizations.

National Security laws in China require all Chinese companies to share any data they collect with the government. According to the NCSC, by 2019, 15 Chinese companies had been licensed to conduct genetic testing or genetic sequencing on patients in the United States. They had access to genetic data which could have been provided to the Chinese government.

The NSCS said genetic and healthcare data are being used to advance China’s AI and precision medicine industries, yet foreign companies are prevented from accessing the medical data of its own citizens. “Over time, this dynamic could allow China to outpace U.S. biotech firms with important new drugs and health treatments and potentially displace American firms as global biotech leaders,” explained NCSC in a February 2021 report.

The post Hospital Researcher Jailed for Stealing and Selling Research Data to China appeared first on HIPAA Journal.

Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm

Posted by HIPAA Journal

A lawsuit filed on behalf of victims of a Brandywine Urology Consultants data breach has been dismissed by the Delaware Superior Court after plaintiffs failed to provide evidence demonstrating they had suffered harm as a result of the breach.

Brandywine Urology Consultants experienced a ransomware attack on January 27, 2020 The attack was detected after two days and the subsequent investigation confirmed the attackers had access to a network which contained patient information.

Brandywine Urology Consultants concluded from its investigation that the attack was conducted to extort money rather than to obtain patient data, although unauthorized data access and data theft could not be ruled out. The attackers potentially accessed the protected health information of 130,000 patients, and may have viewed or obtained names, medical record numbers, Social Security numbers, financial data, claims data, and other information.

The lawsuit was filed in May 2020 alleging Brandywine Urology Consultants was negligent for failing to prevent the attack, had breached its fiduciary duty, and was in violation of the Delaware Computer Security Breach Act and the Delaware Consumer Fraud Act.

The lawsuit alleged victims of the breach were at imminent risk of harm, had suffered a loss of privacy, anxiety as a result of the theft of their protected health information, a failure to receive the benefit of a bargain, and disruption to medical care. The lawsuit sought damages to cover the cost of mitigations and out of pocket expenses that had been incurred.

Brandywine Urology Consultants filed a motion to dismiss the lawsuit due to lack of standing. The defendant claimed the plaintiffs failed to allege an injury in fact, the economic loss doctrine bars any recovery, and the court lacked subject matter jurisdiction for the breach of fiduciary duty claim.

Brandywine Urology Consultants argued that the claim it had violated the Delaware Computer Security Breach Act lacked standing as it had satisfied the statute’s notice requirement, and the Delaware Consumer Fraud Act violation claim should be dismissed because the plaintiffs failed to state a claim under the statute.

“A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling.

Since the plaintiffs were unable to provide evidence of harm, there was only a possibility that their sensitive data had been compromised, and the swift and appropriate measures that were taken by the defendant to investigate and mitigate the breach, the motion to dismiss was granted.

While the plaintiffs claimed to have incurred expenses as a result of the breach, the judge ruled that costs incurred in response to a speculative threat is not sufficient, in itself, to create an injury sufficient to confer standing.

The post Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm appeared first on HIPAA Journal.

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

Posted by HIPAA Journal

On January 28, 2021, democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to protect COVID-19 related health data collected for public health purposes.

The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set.

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.”

The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected for public health purposes will only ever be used to achieve the public health purpose for which it was collected.

The Public Health Emergency Privacy Act restricts the use of data collected for public health purposes to public health uses, prohibits the use of the data for discriminatory, unrelated, or intrusive purposes, and prevents government agencies that play no role in public health from misusing the data.

The Act requires data security and data integrity protections to be applied to safeguard health data, for the data collected to be restricted to the minimum necessary information to achieve the purpose for which it is collected and requires tech firms to ensure the data is deleted once the public health emergency is over.

Americans’ voting rights are protected by not permitting conditioning the right to vote on any medical condition or use of contact tracing apps. The Act will also give Americans control over participation in public health efforts by ensuring transparency and requiring opt-in consent. The Act also requires regular reports on the impact of digital collection tools on civil rights.

The Public Health Emergency Privacy Act will not supersede the requirements of HIPAA, the Privacy Act of 1974, or federal and state medical record retention and health information privacy regulations.

“Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services,” said Sen. Warner. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.”

This is not the first time legislation of this nature has been proposed. A similar bill was introduced in 2020, but it failed to win congressional support.

The post Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data appeared first on HIPAA Journal.

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

Posted by HIPAA Journal

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China.

Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government.

The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities.

Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique identifiers for network interface controllers; router MAC/BSSID addresses, which provide geographical location data; and router SSID (Service Set IDs), which provide information about Wi-Fi networks. It is also possible for information to be gathered about users interests, health, political views, religion, and other sensitive data.

The lawsuit alleges user data was sent to Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk control, and location-based analysis services to their clients.

According to the lawsuit, the Premom privacy policy states, “We will not share or sell your personal data to advertising platforms, data brokers, or information resellers,” so the sharing of the data is in direct violation of those policies. While the privacy policy does state that non-identifiable user data may be collected, users are told that the information would not be shared with outside parties without user consent.

The plaintiff discovered that her personal data had been shared with the three Chinese companies for three years without her knowledge or consent. She claims to have been deceived by Easy Healthcare as she was not informed that her data would be provided to the Chinese entities. The lawsuit also alleges Easy Healthcare shared the data in exchange for monetary compensation and that the firm has been misrepresenting its data sharing practices, in what the lawsuit says is “an unfair, immoral, and unscrupulous business practice.” The lawsuit also claims user data is recorded whenever users unlock or use their phone, even if they are not using the app, which is in violation of Google Play’s developer policies.

The lawsuit was filed a few months after a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to request an investigation of the data security and privacy practices of the Premom app, following the discovery of unauthorized data sharing by the watchdog group International Digital Accountability Council.

The lawsuit was filed in the US Northern District Court of Illinois, Eastern Division and seeks class action status and damages for app users. The lawsuit also calls for Easy Healthcare to stop sharing user data with companies without first obtaining consent from app users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health app found to be sharing user data without obtaining informed consent from app users. The FTC settled a data privacy and security case with Flo Health in January 2021 after it was discovered to have misrepresented privacy practices for its fertility app and shared user data with a data analytics company without consent. Flo Health was ordered to review and revise its privacy policies and obtain consent from app users prior to sharing their data.

The post Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent appeared first on HIPAA Journal.

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

Posted by HIPAA Journal

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients.

One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution.

The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence.

Blackbaud discovered the ransomware attack in May 2020. The company’s investigation revealed the hackers had access to the fundraising databases of its healthcare clients between February 7 and June 4, 2020. Blackbaud said the hackers were expelled from the network as soon as the breach was discovered but had discovered a subset of client data had been obtained by the attackers.

Blackbaud took the decision to pay the ransom to ensure the stolen data was deleted. Assurances were received from the attackers that the data had been permanently destroyed. In its breach notification letters, Rady explained that the types of information potentially obtained by the hackers included patients’ names, addresses, dates of birth, physicians’ names, and the department where medical services were provided.

The lawsuit alleges Rady cannot reasonably maintain that the hackers destroyed the plaintiffs’ personal information. According to the complaint, “On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed.” The lawsuit also alleges neither Rady nor Blackbaud are aware how the hackers exfiltrated data, and whether it was transmitted in a secure manner and could not have been intercepted by other individuals.

According to the lawsuit, Rady had the necessary resources to protect patient data but neglected to implement appropriate security. The plaintiffs seek compensation, long -term protection against identity theft and fraud, and a court order to enforce changes to Rady’s security policies to ensure breaches such as this, and several others cited in the report, do not happen again.

Blackbaud is also facing multiple class action lawsuits over the breach. At least 23 putative class action lawsuits have filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been filed in 17 federal courts, 4 state courts, and 2 Canadian courts.  Each alleges victims of the breach have suffered harm as a result of the theft of their personal data.

Blackbaud also said more than 160 claims have been received from its customers and their attorneys in the U.S., U.K., and Canada. Blackbaud is also being investigated by government agencies and regulators, including 43 state Attorneys General and the District of Columbia, the Department of Health and Human Services, Federal Trade Commission, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

The post Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack appeared first on HIPAA Journal.

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

Posted by HIPAA Journal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights.

The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen.

The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI.

HIPAA penalties are tiered and are based on the level of culpability, with the Office for Civil Rights determining M.D. Anderson had reasonable cause to know it was in violation of the HIPAA Rules. OCR calculated the appropriate penalties to be $1,348,000 for the of lack of encryption and $1.5 million per year for the impermissible disclosures of ePHI.

M.D. Anderson contested the financial penalties and after two unsuccessful reviews, OCR imposed the civil monetary penalties on the Texas healthcare provider in June 2018. M.D. Anderson then petitioned the 5th Circuit Court of Appeals to review the ruling in April 2019.

M.D. Anderson maintained that the HHS’ Office for Civil Rights is a federal agency and exceeded its authority by imposing the civil monetary penalties, since M.D. Anderson is a state agency and is therefore not a ‘person’ covered by the Enforcement Provision of the Health Insurance Portability and Accountability Act. M.D. Anderson also alleged the financial penalty was excessive. At the time it was the third largest HIPAA penalty to be imposed on a single covered entity for violations of the HIPAA Rules.

The two failed reviews resulted in the case going before an Administrative Law Judge (ALJ) who refused to rule on whether HIPAA, the HITECH Act, any other statute applied, nor whether the civil monetary penalty was arbitrary or capricious.

The 5th Circuit explained, “For the sake of today’s decision, we assume that M.D. Anderson is such a “person” and that the enforcement provision therefore applies. The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act (“APA”).”

After reviewing the financial penalty, the Court of Appeals ruled that the Office for Civil Rights had acted arbitrarily, and its decision was capricious and contrary to law for at least four independent reasons. As required by HIPAA, M.D. Anderson had implemented a mechanism for encryption as early as 2006, but the Office for Civil Rights failed to demonstrate that M.D. Anderson had not done enough to secure the ePHI of its patients. It was only possible to demonstrate that three employees had failed to abide by M.D. Anderson’s encryption policies.

The Court of Appeals also found issue with the impermissible disclosure aspect of the decision. The HIPAA definition of disclosure suggests an affirmative act rather than a passive loss of information, and also that ePHI would need to be disclosed to someone outside the covered entity, when that could not be determined in this case.

The Court of Appeals also found the decision to fine some covered entities for loss/theft incidents and not others was inconsistent. Regarding the penalty amount, under the “reasonable cause” penalty tier, the maximum fine for violations of an identical provision during a calendar year may not exceed $100,000. The ALJ and the Departmental Appeals Board nevertheless determined that the per-year statutory cap was $1,500,000.

Following the petition to the Court of Appeals, the HHS’ Office for Civil Rights conceded that the $4,348,000 financial penalty could not be justified and asked the Court of Appeals to reduce the fine by a factor of ten to $450,000.

The Court of Appeals concluded that the Government had offered no lawful basis for the civil monetary penalties, vacated the CMP order, and remanded the matter for further proceedings consistent with the court’s opinion.

The post M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal appeared first on HIPAA Journal.

FTC Settles 2019 Consumer Data Breach Case with SkyMed

Posted by HIPAA Journal

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.

SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.

The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.

It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.

The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.

The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.

The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.

Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.

SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.

Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information.  Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.

The post FTC Settles 2019 Consumer Data Breach Case with SkyMed appeared first on HIPAA Journal.