Legal News

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed.

The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018.

The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month before the breach was detected and email accounts were secured. Notification letters were sent to affected individuals in August 2018.

A lawsuit was filed soon after the announcement about the breach was made. The lawsuit alleged UnityPoint Health mishandled the breach and misrepresented the nature, breadth, scope, harm, and cost of the breach. It was alleged that UnityPoint Health did not notify affected individuals within the 60-day time frame demanded by the HIPAA Breach Notification Rule and when notifications were issued, patients were not informed that their Social Security numbers had been exposed.

In the breach notification letters UnityPoint Health explained that no evidence was found to suggest the protected health information exposed in the attack was or will be used for unintended purposes, suggesting affected patients were not placed at risk. UnityPoint Health also failed to offer breach victims credit monitoring or identity theft protection services, even though Social Security numbers and river’s license numbers had been exposed.

UnityPoint Health attempted to have the lawsuit dismissed and was partially successful. In July 2019, a US District Court Judge partially dismissed some of the claims in the lawsuit, although other claims were allowed to proceed. The judge ruled that the plaintiffs’ alleged facts sufficient to establish there was an objectively reasonable likelihood of future identity theft.

A settlement was proposed on June 26, 2020 to resolve the lawsuit and will provide victims with monetary and injunctive relief. Under the terms of the proposed settlement, UnityPoint Health has agreed to make a minimum of $2.8 million available to class members to cover claims. Each affected individual can submit a claim of up to $1,000 to cover documented ordinary out-of-pocket expenses such as credit monitoring and identity theft protection services, and up to 3 hours in lost time charged at $15 per hour.

A claim of up to $6,000 can be made per person to cover extraordinary expenses which includes documented out-of-pocket expenses and up to 10 hours per person at $15 per hour for time lost arranging credit monitoring services, credit freezes, and other actions taken as a result of the breach.  In contrast to most data breach settlements, UnityPoint Health has not placed a cap on extraordinary expenses claims, so UnityPoint Health will cover actual losses if breach victims submit a valid claim. All victims will also be entitled to a year’s membership to credit monitoring and identity theft protection services and will be protected by a $1 million insurance policy against identity theft. The credit monitoring services and insurance policy are estimated to cost around $200 per class member.

The four breach victims named in the lawsuit will also be entitled to claim an additional $2,500 per person. The full costs of notice and claims administration and attorney fees will be paid by UnityPoint Health up to a maximum value of $1.58 million.

UnityPoint Health has also agreed to make improvements to network and data security and will undergo an annual audit by a third-party security firm to ensure that security measures are adequate, and the healthcare provider is complying with its security policies.

Given the lack of a cap on claims, this could turn out to be one of the largest ever healthcare data breach settlements. The settlement will now need to be approved by a judge and could be finalized by the end of the year.

The post UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court

Posted by HIPAA Journal

A lawsuit filed by patients of Uniondale, N.Y-based Episcopal Health Services Inc., whose personal and protected health information was compromised in a phishing attack in 2018, has been kicked back to the New York State Supreme Court for further proceedings.

The lawsuit alleged that Episcopal Health Services had failed to protect the private information of its patients from unauthorized disclosures. As a result of those failures, Episcopal Health Services suffered a breach of some of its employee email accounts between August 28, 2018 and October 5, 2018. The email accounts contained a range of sensitive data including patients’ names, addresses, dates of birth, Social Security numbers, and financial information.

The lawsuit named three plaintiffs who were patients of St. John’s Episcopal Hospital. They claimed injuries had been suffered as a direct result of the disclosure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission (FTC) Act, with the plaintiffs claiming Episcopal Health Services had violated those laws. The plaintiffs also alleged a breach of fiduciary duty, a breach of implied contract, a delay in issuing notifications about the breach, and negligence with respect to the hiring and training of its employees.

Episcopal Health Services removed the case from the New York State Supreme Court, alleging the claims fell under HIPAA and the FTC Act, which are federal laws. The defendant also sought to have the lawsuit dismissed for lack of standing and failure to state a claim.

The lawsuit was kicked up to the U.S. District Court for the Eastern District of New York, which recently ruled that the lawsuit did not raise any questions about federal law. While HIPAA and the FTC Act were referenced in the lawsuit, the claims were not based on HIPAA or FTC Act violations, instead they were common law causes of action. There is no private cause of action in either HIPAA or the FTC Act. Actions can only be taken over violations of HIPAA by the Department of Health and Human Services or State Attorneys General, while the FTC Act can only be enforced by the Federal Trade Commission.

District Court Judge Dora L. Irizarry ruled that the District Court did not have the authority to preside over the case, so the case was sent back to the New York State Supreme Court for further proceedings. No ruling was made on Episcopal Health Services’ motion to dismiss the lawsuit.

The post NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court appeared first on HIPAA Journal.

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

Posted by HIPAA Journal

The United States Attorney’s Office of the Western District of Pennsylvania has announced that a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC).

UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers.

The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency.

Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Johnson is alleged to have hacked into the database, exfiltrated PII, and sold the stolen data on darknet marketplaces such as AlphaBay Market to multiple worldwide buyers. Prosecutors also allege that in addition to selling the PII of UPMC employees, between 2014 and 2017 Johnson sold other PII on the darknet forums.

The PII stolen from UPMC was subsequently used in a massive campaign to defraud UPMC employees. Hundreds of fraudulent tax returns were filed in the names of UPMC employees, which prosecutors say resulted in around $1.7 million in false refunds being issued. Those refunds were converted into Amazon gift cards that were used to obtain around $885,000 in goods, which were mostly shipped to Venezuela to be sold in online marketplaces.

Two other people were charged in connection with the hacking of UPMC. In 2017, Venezuelan national, Maritza Maxima Soler Nodarse, pleaded guilty to conspiracy to defraud the United States and was involved in filing fraudulent tax returns. A Cuban national, Yoandy Perez Llanes, pleaded guilty to money laundering and aggravated identity theft in 2017. Maritza Maxima Soler Nodarse was sentenced to time served and was deported and Yoandy Perez Llanes will be sentenced in August 2020.

The breach investigation revealed access to the OracleSoft database was first gained on December 1, 2023. After gaining access to the database, a test query was performed and the data of approximately 23,500 individuals was accessed. Between January 21, 2014 and February 14, 2014, the database was accessed on multiple occasions each day and the data of tens of thousands of UPMC employees was stolen.

Johnson faces a long prison term if found guilty of the crimes. The conspiracy charge carries a maximum prison term of 5 years and a fine of up to $250,000. The wire fraud charges carry a maximum prison term of 20 years and a fine of up to $250,000 for each count and, there will be a mandatory 2-year prison term for aggravated identity theft and a fine of up to $250,000 for each count.

“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” said Timothy Burke, Special Agent in Charge, U.S. Secret Service, Pittsburgh Field Office.

“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” said U.S. Attorney Brady.

The post Hacker Arrested and Charged Over 2014 UPMC Cyberattack appeared first on HIPAA Journal.

New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack

Posted by HIPAA Journal

Patients whose protected health information was stolen in a manual ransomware attack on the New York accounting firm BST & Co. CPAs LLC in late 2019 have taken legal action against the company.

The lawsuit alleges BST & Co. was negligent for failing to take appropriate and reasonable steps to prevent the attack and did not provide a prompt an accurate notice to affected patients. The lawsuit also alleges the company breached its fiduciary duty to protect sensitive patient information and violated state laws related to deceptive business practices.

The ransomware attack was discovered by BST on December 7, 2019. The attack involved Maze ransomware and, prior to file encryption, the gang exfiltrated a range of data from the company and threatened to publish the data if the ransom was not paid. The gang then follow through with the threat and published sensitive data on its website when payment was not made.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 170,000 individuals was potentially compromised in the attack, many of whom were patients of Community Care Physicians. Even though patient data had been published online where it could be accessed by anyone, BST waited until February 14, 2020 to send notification letters to patients.

The lawsuit was filed in New York’s supreme court on May 27, 2020 and class action status is being sought. The lawsuit alleges BST & Co. “intentionally, willfully, recklessly, or negligently failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” and states its computer systems and security practices were not adequately robust.

The lawsuit also alleges BST and its staff were not properly monitoring the computer network and systems that contained sensitive patient information. Were that to be the case, the attack would have been identified sooner. The lawsuit claims that as a result of the failures of the company, patient data is now in the hands of data thieves and patients’ identities are now at risk.

The lawsuit seeks compensatory damages, reimbursement for out-of-pocket-expenses, the provision of adequate credit monitoring services, and calls for improvements to be made to the company’s security systems to ensure further breaches are prevented in the future.

The post New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack appeared first on HIPAA Journal.

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

Posted by HIPAA Journal

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year.

Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks.

Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to suggest  patient information was stolen in the attack, but it was not possible to rule out the possibility that the attackers exfiltrated email data before they were shut out of the email accounts.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires patients affected by data breaches to be notified about the exposure of their PHI without unnecessary delay and no later than 60 days after the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights must also be notified about a breach within 60 days.

Aveanna Healthcare delayed issuing breach notifications to patients until this year and reported the breach to the HHS’ Office for Civil Rights on February 14, 2020, more than 5 months after the breach was discovered.

More than 100 patients affected by the breach have so far been included in the lawsuit. They allege that Aveanna Healthcare failed to issue timely notifications, and when those notifications were eventually sent, they failed to explain what types of information had been compromised. Aveanna Healthcare is alleged to have maintained the private personal and healthcare data of patients “in a reckless manner” and information stored in its systems was vulnerable to attack as a result.

The lawsuit states that Aveanna Healthcare was aware that patient data was at risk yet failed to take adequate steps to secure patient data. The plaintiffs also allege Aveanna Healthcare was not properly monitoring computer systems that contained patient data. If those systems were being monitored, it would not have taken 6 weeks for the data breach to be identified.

The plaintiffs claim they now face an elevated risk of identity theft and fraud as their sensitive data is now in the hands of data thieves. The lawsuit seeks nominal and compensatory damages for patients affected by the breach, reimbursement of out-of-pocket expenses, and injunctive relief.

The post Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack appeared first on HIPAA Journal.

New Washington D.C. Data Breach Notification Law Takes Effect

Posted by HIPAA Journal

On May 19, 2020, legislative changes to the Washington D.C. data breach notification law took effect. The changes were introduced in March and significantly updated existing breach notification requirements. There has been a major expansion of data classified as personal information that warrants breach notifications if subjected to unauthorized access and new data security requirements have been introduced.

Prior to the change, notifications were required if personal information such as names, phone numbers, and addresses were exposed in combination with a Social Security number, driver’s license number, DC ID card, or credit/debit  card number or if numbers and codes were breached that allowed credit or finance accounts to be accessed.

The change has seen several other data elements added to the list. Breach notifications are now required if any of the following data is breached, even in the absence of a name if the data could be used for identity theft:

  • Medical information
  • Health insurance information
  • Genetic data and DNA profiles
  • Biometric information
  • Passport numbers
  • Usernames or email addresses in combination with a password or security questions and answers that would allow the account to be accessed
  • Taxpayer ID numbers
  • Military ID numbers
  • Other unique government-issued ID numbers

The D.C. Attorney General’s office must be notified in the event of a breach involving the data of more than 50 D.C. residents, and notifications must be issued without unreasonable delay in the most expedient manner possible. As is the case in states such as California, there are now content requirements for breach notifications.

It is also now mandatory for the breached entity to offer a minimum of 18 months of complementary identity theft protection services to breach victims if a Social Security number or taxpayer ID number has been breached.

The update also calls for all businesses that collect, maintain, or process the personal information of D.C. residents to implement and maintain reasonable safeguards to secure personal information. The policies, procedures, and practices should reflect the nature and size of the entity. In cases where the entity works with third-party service providers, they must enter into a service agreement with the covered entity confirming they too will implement reasonable safeguards to ensure the confidentiality, integrity, and availability of personal information provided to them.

Breach notifications are not required if encrypted data is breached unless it can be decrypted, and neither if the breached entity determines, in conjunction with the D.C. Attorney General, that there is a low risk of harm.

HIPAA-covered entities in compliance with the HIPAA Breach Notification Rule are deemed to be compliant with the breach notification requirements of the updated law but are still required to notify the D.C. Attorney General about a data breach. The same applies to entities that are subject to and compliant with GLBA.

The post New Washington D.C. Data Breach Notification Law Takes Effect appeared first on HIPAA Journal.

Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit

Posted by HIPAA Journal

A patient who sued Parkview Health System Inc. after a medical assistant accessed her medical records and shared sensitive information with another individual has had her respondeat superior claim reinstated by the Indiana Court of Appeals.

Haley SoderVick sued Parkview Health System after she was notified that a medical assistant had accessed her medical records and disclosed the information to her then husband. The medical assistant’s husband had posted a picture on Facebook that was liked by SoderVick, which prompted the disclosure.

SoderVick had visited Parkview Health in October 2017 and underwent a medical examination in the OB/GYN department. While she was there, her medical records were accessed by the medical assistant, Alexi Christian.

Christian texted her husband information about SoderVick, stating she was a patient at the facility, disclosed a potential diagnosis, and told her husband SoderVick was a dispatcher. She also told her husband that SoderVick was HIV-positive and had had more than 50 sexual partners, although both claims were false and that information had not been obtained from her medical record. Christian said she was concerned her husband may have known Sodervick after she had liked his post, and wanted to know if her husband, Caleb Thomas, had had a sexual relationship with SoderVick.

The text messages were later seen by Thomas’ sister who had borrowed Thomas’ phone. She reported the HIPAA violation to Parkview Health and forwarded the text message, which prompted an investigation that led to the termination of Christian for the HIPAA violation.

After being notified about the HIPAA breach, SoderVick took legal action claiming Parkview health was vicariously liable for the actions of Christian, that the healthcare provider was negligent for failing to provide appropriate training and supervision, and alleged Parkview Health had violated its statutory and common-law duties of data protection and privacy as required by HIPAA.

Parkview Health sought summary judgement on the claims, which were ultimately granted. The trial court ruled that “Christian’s texts to a third party, whether they contained truthful information or false information about SoderVick, clearly fell outside the scope of her employment with Parkview and, therefore, Parkview is not vicariously liable for these acts.”

SoderVick appealed the respondent superior claim and a majority reversed the decision in the Court of Appeals. In its motion for summary judgement, Parkview argued there was no genuine issue of material fact as to whether Christian was acting in the scope of her employment. “We find that that there is a genuine issue of fact on the scope of employment issue; specifically, there is an issue of fact as to whether Christian’s conduct was incidental to authorized employment activities,” concluded the COA. “We therefore find that the trial court erred in granting summary judgment in favor of Parkview on the respondeat superior claim, reverse that portion of the order, and remand for further proceedings.”

The post Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit appeared first on HIPAA Journal.

Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches

Posted by HIPAA Journal

Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent.

The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019.

On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020.

In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused.

The mother sought legal advice on May 8, 2020 to find out how she could ensure that her daughter’s medical records could be better protected in the future and to try to find out more information about how two breaches of this nature could have occurred. A lawsuit was filed by the law firm Edelson P.C in Cook County Circuit Court on May 8, 2020.

The lawsuit alleges a breach of contract, breach of confidentiality, and negligence for failing to supervise staff and ensure her child’s medical records remained private and confidential. The accessing of the plaintiff’s medical records was part of two larger breaches that spanned several months before the unauthorized access was identified. The lawsuit seeks class action status and trial by jury.

Both cases were investigated by the hospital, but no evidence was identified to suggest any patient information was obtained or misused by the employees. After unauthorized access was detected and the incidents were investigated, both employees were disciplined in accordance with the hospital’s policies and they no longer work in the hospital.

The lawsuit seeks damages for all patients affected by the breach, the provision of ongoing credit monitoring services for breach victims and calls for measures to be implemented to prevent further privacy breaches in the future.

The post Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches appeared first on HIPAA Journal.

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

Posted by HIPAA Journal

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months.

LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach.

A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data.

Raymond Eugenio holds shares in LabCorp which lost value as a result of the data breaches and filed the lawsuit on April 23, 2020 to recover those and other losses. The lawsuit names LabCorp as the defendant along with 12 of the company’s executives and directors, including LabCorp CIO Lance Berberian, CFO Glenn Eisenberg, and director Adam Schechter.

The lawsuit alleges that prior to the AMCA breach and subsequently, LabCorp failed to implement appropriate cybersecurity procedures and did not have sufficient oversight of cybersecurity, which directly resulted in the two data breaches.

In an SEC filing, LabCorp explained the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but the lawsuit points out that the figure is just a fraction of the total losses and does not cover the cost of litigation that followed. Several class action lawsuits have been filed by victims of the AMCA data breach that name LabCorp so the total losses are not known to its shareholders. The lawsuit also states that the second breach has not been acknowledged publicly or in any SEC filings. As such, Eugenio alleges LabCorp failed in its responsibility to its shareholders and breached its duties of loyalty, care, and good faith.

The lawsuit alleges LabCorp failed to implement effective internal policies, procedures, and controls to protect patient information, there was insufficient oversight of compliance with federal and state regulations and its internal policies and procedures, LabCorp did not have a sufficient data breach response plan in place, PHI was provided to AMCA without ensuring the company had sufficient cybersecurity controls in place, LabCorp did not ensure that individuals and entities affected by the breach were noticed in a timely manner, and that the company did not make adequate public disclosures about the data breaches.

The lawsuit seeks reimbursement for damages sustained as a result of the breaches and public acknowledgement of the January 2020 data breach. the lawsuit also calls for a reform of corporate governance and internal procedures and requires a board-level committee to be set up and an executive officer position appointed to ensure adequate oversight of data security.

The post Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches appeared first on HIPAA Journal.