The U.S. Department of Justice has announced that a member of the notorious hacking group, The Dark Overlord, has been sentenced to 5 years in jail and has been ordered to pay $1.4 million in restitution.

The Dark Overlord hacking group started targeting U.S. organizations in 2016. The hackers gained access to the networks of companies via brute force attacks on Remote Desktop Protocol, then stole data from victim companies and threatened to sell the stolen data on criminal marketplaces if the ransom demand was not paid. The hackers issued ransom demands of between $75,000 and $350,000 in Bitcoin and issued multiple threats if the ransom was not paid. In some instances, individuals in the victim companies received personal threats against them and their family members via the telephone, email, and text messages.

Victims of The Dark Overlord included accounting firms, healthcare providers, and other companies. Healthcare provider victims included Farmington, MO-based Midwest Orthopedic Group, Swansea, IL-based Quest Records, Prosthetics & Orthotics Care in St. Louis, and Athens, GA-based Athens Orthopedic Clinic. Athens Orthopedic Clinic was recently fined $1.5 million for HIPAA failures discovered by the HHS’ Office for Civil Rights when investigating The Dark Overlord hacking incident.

The UK national, Nathan Wyatt, 39, was arrested by UK police in September 2017 over the hacking of the iCloud account of Pippa Middleton, the sister of the Duchess of Cambridge. Around 3,000 photographs were stolen and a ransom demand of £50,000 was issued for their return. He was released without charge but was later charged on 20 counts of fraud by false representation, two counts of blackmail, and one count of possession of an identity document with intent to deceive. One of the attacks involved the blackmailing a law firm in the UK as part of the Dark Overlord hacking group. Wyatt was sentenced to 3 years in jail in the UK for the offenses.

Wyatt was then indicted by a grand jury in November 2017 over his role in the Dark Overlord attacks on 5 victim companies in the United States and was extradited to the United States in December 2019 where he has remained in custody.

Wyatt was indicted on 6 counts.  1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer. Wyatt entered into a plea arrangement and agreed to plead guilty to the conspiracy charge if the remaining five counts were dropped.

Wyatt admitted being part of The Dark Overlord hacking group and that he and his co-conspirators obtained sensitive data from victim companies, including patient medical records, and threatened to publish or sell the data if the ransom demand was not paid.

Wyatt did not orchestrate the attacks and was not one of the leaders of the group. Wyatt’s role was “creating, validating, and maintaining communication, payment, and virtual private network accounts that were used in the course of the scheme to, among other things, send threatening and extortionate messages to victims,” according to the Department of Justice.

U.S. District Judge Ronnie White, of the Eastern District of Missouri, sentenced Wyatt to 60 months in jail less time already served and ordered Wyatt to pay $1,467,048 in restitution to the victim companies.

“Nathan Wyatt used his technical skills to prey on Americans’ private data and exploited the sensitive nature of their medical and financial records for his own personal gain,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “Today’s guilty plea and sentence demonstrate the department’s commitment to ensuring that hackers who seek to profit by illegally invading the privacy of Americans will be found and held accountable, no matter where they may be located.”

The post Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail appeared first on HIPAA Journal.

In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA.

Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers.

In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement.

“The Pharmacies maintain that [Express Scripts] is using their confidential customer information without authorization to switch their customers to [Express Scripts] own mail-order service when [Express Scripts] should only use the information to confirm customers’ coverage and to reimburse the Pharmacies,” according to the court filing. The pharmacies also alleged the pharmacy benefits manager was engaged in unfair competition and “shared the Pharmacies’ trade secrets with its affiliates in order to steal the Pharmacies’ customers.”

The district court dismissed the lawsuit stating the information provided was not protected and the agreements the pharmacies entered into with Express Scripts allowed the pharmacy benefits manager to pursue mail-order prescription arrangements without violating any good faith agreements or contracts. The district court also ruled that the pharmacies could not sue for a HIPAA violation as there is no private cause of action in HIPAA.

In their appeal against the decision of the district court to dismiss the lawsuit, the pharmacies explained that the decision to dismiss the lawsuit for lack of standing was incorrect as they were not attempting to sue for a HIPAA violation. They also asked for the courts alternative reasoning – “that HIPAA only allows the Pharmacies’ customers, not the Pharmacies, to authorize the use of their confidential health information” – be disregarded. Express Scripts argued that even if it were possible to state a claim under HIPAA, the pharmacies had failed to provide sufficient facts to demonstrate a past or ongoing HIPAA violation.

The pharmacies also claimed in their appeal that Express Scripts was only entitled to received information after claims had been processed, and that the collection of customer information was unnecessary and was only being collected out of self-interest.

The 8th U.S. Circuit Court of Appeals affirmed the lower court’s ruling that it is not possible to sue for a HIPAA violation, that the information provided to Express Scripts was not protected, and the terms of the pharmacies contracts with Express Scripts allowed the pharmacy benefits manager to offer mail-order prescription arrangements to the pharmacies’ customers. The contracts entered into by the pharmacies stated they agreed to cooperate with Express Scripts for the coordination of their customers’ benefits, and mail service dispensing – even through Express Script’s own service – falls within the category of benefits provided to any member.

The Court of Appeals also affirmed the lower courts dismissal of the pharmacies attempted monopolization claim, ruling “the Pharmacies did not plead sufficient facts to meet their “burden of alleging a relevant market in order to state a plausible antitrust claim.”

The post Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals appeared first on HIPAA Journal.

A lawsuit has been filed against HealthAlliance Hospital and Ciox Health, its health record management vendor, for denying a widow from obtaining her deceased husband’s medical records.

Sherry Russell, 62, from Woodstock NY, lost her husband of 42 years to lung cancer in October 2020. Mr. Russell visited HealthAlliance Hospital: Broadway Campus for a chest x-ray in March 2017 but lung cancer was not diagnosed. The cancer diagnosis came two years later when the tumor was 2 inches in diameter and it was too late to provide treatment.

Mrs. Russell believes the radiologist failed to identify the tumor on the x-ray, resulting in a misdiagnosis. Had the tumor been found earlier, it is possible that treatment could have been provided in time to save her husband’s life.

Mrs. Russell requested a copy of her husband’s medical records from HealthAlliance Hospital in order to obtain a copy of the chest x-ray report to support her malpractice lawsuit against the hospital over the failure to diagnose lung cancer; however, she has been unable to obtain a copy of the report.

Under HIPAA, patients are allowed to obtain a copy of their medical records from their healthcare providers. The HITECH Act of 2009 amended 164.510(b) of HIPAA to “permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with prior expressed preference of the individual that is known to the covered entity.”

When a request is made to obtain a copy of a person’s medical records from a healthcare provider, copies of paper records and electronic records must be provided. The provider can charge a reasonable, cost-based fee for providing copies, which should be provided in the format of the patient’s choosing, if it is technically feasible for a provider to release records in that format. Hospitals can receive thousands of requests for copies of medical records, so many choose to use a health record management vendor to manage those requests, in this case, Ciox Health.

The medical records lawsuit claims that under the federal HITECH Act of 2009, Mrs. Russell is entitled to a copy of her husband’s medical records and that the hospital and Ciox are only permitted to charge $6.50 for providing those records. The lawsuit also alleges both parties have been unresponsive and have been difficult to deal with. When both parties did respond to requests, Mrs. Russell was informed that it was only possible to provide a copy of paper records, not any electronic health records, and Ciox said it charges 75 cents per page for providing those records.

“[Mrs.] Russell can’t even determine the name of the correct physician liable for wrongdoing, without the medical records,” said Sherry Russel’s lawyer, John Fisher. “HealthAlliance Hospital, the very entity that has wronged her, is continuing to wrong her by stonewalling her.” Due to the statute of limitations in New York, the malpractice lawsuit must be filed by Friday this week. Fisher said that the malpractice lawsuit would be filed, even if the medical records are not provided.

Fisher is also seeking class action status for the medical records lawsuit against HealthAlliance Hospital and Ciox Health and claims he has dozens of clients that have similarly faced difficulties exercising their HIPAA Right to obtain medical records from HealthAlliance Hospital and Ciox Health.

The issue of charging excessive amounts for copies of medical records was addressed by the HHS in guidance on fees issued in 2016. The HHS confirmed that a $6.50 flat fee can be charged for providing copies of medical records, although it is also possible to charge average labor costs or actual costs for providing a copy to a third party. The HHS also recently launched a HIPAA Right of Access Initiative to vigorously enforce compliance with this important right of HIPAA, and has already issued two financial penalties over the failure to honor this right.

Ciox Health is no stranger to legal action over medical record access. A federal lawsuit was filed against Ciox Health and 62 hospitals in Indiana over the falsification of records and for participating in a kickback scheme involving overbilling for releasing patient EHRs, although the case was dropped. In 2018, Milwaukee-based Aurora Health Care and Ciox Health settled a class-action lawsuit alleging overcharging for medical record requests. A predecessor company of Ciox Health had charged an average fee of $22.58 for providing copies of health records. A $35.4 million settlement was proposed and Alpharetta, Georgia-based Ciox Health agreed to make the funds available to cover claims submitted by patients.

In January 2018, Ciox Health filed a lawsuit against the HHS to stop HHS enforcement of the HIPAA Right of Access Rule based on the 2016 changes, claiming the HHS updates were “irrational, arbitrary, capricious and absurd.” Ciox argued, “a $6.50 flat fee that was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.”

In January 2020, a federal judge ruled against the HHS stating that the fee limitations only apply to an individual’s right of access, and not to requests for copies of medical records from third parties, such as attorneys.

The post HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit appeared first on HIPAA Journal.

Konica Minolta Healthcare Americas Inc. has agreed to pay a $500,000 financial penalty to settle a case against its former subsidiary, Viztek LLC, to resolve False Claims Act violations related to its electronic health record (EHR) product.

The American Recovery and Reinvestment Act of 2009 established the Medicare & Medicaid EHR Incentive Programs to encourage healthcare providers to adopt a certified EHR. Healthcare providers that adopted a certified EHR were entitled to claim incentive payments to offset the cost purchasing the solution, provided they were able to demonstrate meaningful use of the EHR technology.

Companies that developed and marketed EHR solutions were required to demonstrate that their products met the HHS-adopted criteria and obtain certification for their solutions. According to a Viztek whistleblower, a former product manager at the company, Viztek and Konica Minolta Healthcare had falsified testing results of the Viztek solution, EXA EHR, in 2015 and misrepresented the capabilities of the product. Konica Minolta acquired Viztek in October 2015 during the period when the EHR was being tested.

The whistleblower filed a lawsuit against Viztek and Konica Minolta in December 2017 under the whistleblower provisions of the False Claims Act, alleging that as a result of the falsified testing results, healthcare providers using the solution had submitted false claims to the HHS for EHR incentive payments in 2015 and 2016.

According to the lawsuit, the capabilities of EXA EHR that were necessary to obtain certification had not been built into the product at the time of testing. Viztek attested to EHR testing company Infogard that the product met the HHS-adopted criteria, and hard-coded the software to ensure it passed the certification tests, even though the solution could not support the applicable criteria for its customers.

Infogard was also named as a defendant in the lawsuit. The lawsuit alleged Infogard either knew that EXA EHR did not meet all applicable requirements for certification or recklessly disregarded the fact that it did not meet the required criteria.

Under the Whistleblower provisions of the False Claims Act, the whistleblower is entitled to share in any settlement if they bring civil actions on behalf of the U.S government. The whistleblower is due to receive $100,000 of the settlement amount.

The post Konica Minolta Settles EHR False Claims Case for $500,000 appeared first on HIPAA Journal.

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania.

The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in July 2017, four months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks.

The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection with Nuance. Once NotPetya was transferred to Heritage Valley, its servers and workstations were also encrypted, preventing the devices from being booted and rendering data inaccessible.

Heritage Valley filed a lawsuit against Nuance alleging the NotPetya cyberattack was the result of negligence and poor security practices and governance oversight. The lawsuit also alleged breach of implied contract and unjust enrichment. The damage to its computer systems forced Heritage Valley to temporarily cancel many of its patient care services for almost a week. The loss of business and damage to computer hardware cost the heath system millions.

The attack on Nuance was certainly preventable, as had Nuance applied the patch in the four months prior to the attack, infection would not have been possible. The forensic investigation also confirmed that Heritage Valley was infected through Nuance. The reason for the lawsuit being dismissed was due to the contract between Heritage Valley and its vendor. Heritage Valley had signed a contract with vendor Dictaphone Inc. in 2003. Dictaphone was acquired by Nuance in 2006.

In the lawsuit, Heritage Valley argued “Nuance is liable for any contractual obligations and tort liability arising from the plaintiff’s use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack.”

Since the acquisition of Dictaphone in 2006, Nuance had acquired more than 50 other companies and had more than 150 subsidiaries. “The sheer number of Nuance’s corporate acquisitions and the reach and pace of its global expansion combined to make meaningful integration of acquired systems and meaningful segmentation of Nuance’s growing global network difficult,” argued Heritage Valley in the lawsuit. “With each acquisition and international expansion, Nuance exposed itself and its customers to increasing cybersecurity risk, all the while Nuance did not have the management or funding in place to sufficiently protect against these risks.”

In its motion to dismiss, Nuance argued that it could not be held liable for negligence because it was not party to the Master System Procurement Agreement between Dictaphone and Heritage Valley in 2003, through which Heritage Valley purchased hardware and software from Dictaphone. The hardware and software were then maintained through a private portal-to-portal network.

The judge accepted Heritage Valley’s arguments and did not dispute the facts of the claims, but ruled that Dictaphone and Nuance were both exempted from product liability claims as external sources were involved and that Nuance could not be liable as the 2003 contract was signed between Heritage Valley and Dictaphone.

The post Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications appeared first on HIPAA Journal.

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack.

The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.

Attorney John Yanchunis of the law firm Morgan & Morgan recently filed a lawsuit against Florida Orthopedic Institute in Hillsborough County, FL alleging the healthcare provider failed to implement appropriate safeguards to ensure the confidentiality of patient data. He claimed “Certainly, this information was in the hands of cybercriminals and was being used maliciously.”

The lawsuit alleges the healthcare provider was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and basic cybersecurity best practices were not followed. In addition to negligence, the lawsuit alleges invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment and violation of the Florida’s Deceptive and Unfair Trade Practices Act.

While patients were offered complimentary identity theft protection services, Yanchunis claims that 12 months of coverage is not nearly enough to protect victims, since affected individuals now face an elevated risk of financial harm as a result of the breach for many years to come.

The lawsuit seeks extended credit monitoring for breach victims and at least $99 million in damages on behalf of the current and former patients.

The incident has yet to appear on the breach portal maintained by the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected by the attack. According to the lawsuit, at least 100,000 patients were affected and potentially more than 150,000.

Other recent ransomware attacks that have resulted in lawsuits include the attack on DCH Health System and BST & Co CPAs LLC. Grays Harbor Community Hospital recently proposed a $185,000 settlement to resolve a potential class action lawsuit filed on behalf of a victim of the breach.

The post Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack appeared first on HIPAA Journal.