Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent.

The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019.

On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020.

In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused.

The mother sought legal advice on May 8, 2020 to find out how she could ensure that her daughter’s medical records could be better protected in the future and to try to find out more information about how two breaches of this nature could have occurred. A lawsuit was filed by the law firm Edelson P.C in Cook County Circuit Court on May 8, 2020.

The lawsuit alleges a breach of contract, breach of confidentiality, and negligence for failing to supervise staff and ensure her child’s medical records remained private and confidential. The accessing of the plaintiff’s medical records was part of two larger breaches that spanned several months before the unauthorized access was identified. The lawsuit seeks class action status and trial by jury.

Both cases were investigated by the hospital, but no evidence was identified to suggest any patient information was obtained or misused by the employees. After unauthorized access was detected and the incidents were investigated, both employees were disciplined in accordance with the hospital’s policies and they no longer work in the hospital.

The lawsuit seeks damages for all patients affected by the breach, the provision of ongoing credit monitoring services for breach victims and calls for measures to be implemented to prevent further privacy breaches in the future.

The post Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches appeared first on HIPAA Journal.

A settlement proposed by Banner Health to resolve a class action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge.

The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future.

The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers used to store the protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The food and beverage system contained the credit and debit card numbers of around 30,000 customers. The data breach was the largest to be reported by a healthcare organization in 2016 is still one of the top 10 healthcare data breaches of all time.

The class action lawsuit claimed “financially-motivated cyber-criminals entered Banner’s network, rummaged through Banner’s information systems, downloaded and installed hacking software, and copied and exfiltrated massive quantities of personally identifiable information.”

The lawsuit alleged “Since at least 2012, Banner’s information security measures have been objectively unreasonable and deficient—particularly in light of healthcare, insurance, and payment card industry standards, applicable legal requirements, and the known and growing threat to healthcare and insurance companies from cybercriminals.”

Under the terms of the settlement, a fund of $6 million has been set up to cover monetary and injunctive relief for all individual affected by the breach and $2.9 million will be paid in attorneys’ fees. Victims of the breach can claim up to $500 in ordinary expenses, including up to 3 hours of undocumented time in connection with the data breach and additional documented expenses. Up to $10,000 in extraordinary expenses can be claimed, including up to 15 hours of documented lost time dealing with identity theft and fraud and other monetary losses. Banner Health will also cover the cost of two years of credit monitoring services on top of those already provided and a $1 million identity theft insurance policy.

“We are pleased to resolve this matter and will continue to work diligently in the best interests of our patients, employees and physicians,” said Becky Armendariz, senior director of marketing and public relations at Banner Health.

The post $8.9 Million Banner Health Data Breach Settlement Gets Final Approval appeared first on HIPAA Journal.

The San Diego medical device manufacturer, Tandem Diabetes Care Inc., is facing a class action lawsuit in California over a January 2020 data breach that resulted in the exposure and possible theft of the protected health information of more than 140,000 individuals.

The breach was the result of a phishing attack that gave unauthorized individuals access to the email account of an employee between January 17 and January 20, 2020. The information in the email account varied from patient to patient but included a range of private and confidential information including names, dates of birth, insurance information, billing information, healthcare data, and Social Security numbers.

The incident was reported to the HHS’ Office for Civil Rights on March 17, 2020 as affecting 140,781 individuals. Notification letters started to be sent to those individuals the same day.

The lawsuit was filed in the United States District Court in the Southern District of California and alleges violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members seek damages for the negligent disclosure of their personal and healthcare data and injunctive relief.

CMIA requires healthcare service providers to implement measures to ensure the confidentiality of individually identifiable medical information and prohibits the disclosure to that data without prior authorization from patients. In contrast to HIPAA, CMIA includes a private cause of action which allows patients to take legal action over the negligent disclosure of their confidential health data.

The lawsuit names the plaintiff as C.H, and the putative class divided into two subclasses: All California citizens whose identities, personal data, and medical information were contained in the email account and all other individuals whose information was exposed.

The lawsuit alleges negligence for failing to protect individually identifiable health information. “By making Defendant’s email account accessible to third parties, Defendant negligently created, maintained, preserved, stored, and then exposed Plaintiff’ and the Class members’ individual identifiable “medical information,” states the lawsuit.

The lawsuit alleges Tandem Diabetes Care failed to maintain adequate technological safeguards, which directly and proximately caused foreseeable risk of patient data loss and harm, including identity theft and other economic losses.

The lawsuit alleges patients have suffered damages as a result of the unauthorized release of their personal and protected health information and seeks nominal damages of $1,000 per class member, reimbursement for actual damages suffered, damages provided by the common law, and legal costs.

The lawsuit was filed by Joshua B. Swigart of the law firm Swigart Law Group, who is seeking class action status and a jury trial

The post Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack appeared first on HIPAA Journal.

A $1 million settlement proposed by American HomePatient to resolve a class action lawsuit filed on behalf of victims of a 2017 data breach has received preliminary approval.

The data breach that was the subject of the lawsuit occurred on January 6, 2017. The offices of American HomePatient in Delaware were burgled, and thieves stole several computers. The hard drives were not encrypted and contained sensitive information such as names, addresses, dates of birth, Social Security numbers, AHOM account information, financial information, diagnosis codes, and treatment information of 13,000 current and former patients and customers of American HomePatient and Lincare Holdings Inc.

Following the breach, a class action lawsuit was filed on behalf of victims of the breach who claimed American HomePatient was negligent for failing to encrypt sensitive data and, that by failing to do so, the thieves had easy access to their sensitive information. The lawsuit also alleged invasion of privacy, breach of implied contract, negligence per se, unjust enrichment, breach of fiduciary duty, and a violation of the state Unfair and Deceptive Trade Practices Act.

Under the terms of the settlement, American HomePatient will provide monetary and non-monetary relief for class members in seven areas: Complimentary credit monitoring services for 12 months, reimbursement for identity theft protection services up to $150, payment of $350 for false tax returns filed with the IRS after January 6, 2017, payment of $150 for unauthorized IRS tax transcripts requested from the IRS after January 6, 2017, an identity theft payment of $350, and reimbursement for expenses incurred as a result of the breach up to $500 for out-of-pocket expenses and up to 3 hours at $15/hour.

Plaintiffs can submit a claim for enrollment in the Equifax Credit Watch Silver program but must submit documentation supporting claims under all other categories. Class members have until June 6, 2020 to submit their claims. The final hearing has been scheduled for June 26, 2020.

In addition to the monetary settlement, American HomePatient has agreed to implement and maintain security measures for two years which include conducting an external HIPAA risk assessment at least every two years and an annual risk analysis. American HomePatient will also maintain a head of IT to coordinate the security program for 2 years and will provide ongoing employee education on information security and protecting personally identifiable information.

The post $1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit appeared first on HIPAA Journal.

A law firm is taking legal action against the healthcare release-of-information solution provider, Medical Records Online (MRO), for overcharging law firms and insurers for providing electronic copies of patients’ medical records.

The lawsuit was filed by Cipriani & Werner of Pittsburgh in federal court in Camden, NJ. The lawsuit relates to MRO charges for providing a copy of a patient’s medical records for a personal injury case against the retailer Kohl’s, which the law firm represents.

Cipriani & Werner obtained the medical records of the plaintiff in the suit from John F. Kennedy Medical Center, in Edison, NJ, and was charged $528 by MRO for 518 pages of the plaintiff’s medical records. The law firm was charged a $10 search fee and $1 per page, even though the records were provided electronically as a PDF file.

Cipriani & Werner alleges MRO violated the New Jersey Declaratory Judgement Act by charging unlawful fees well in excess of the maximum limit. A claim was also made under the New Jersey Consumer Fraud Act for unconscionable commercial practices, and for a breach of New Jersey common law for a breach of contract for a violation of the implied covenant of good faith and fair dealing.

The New Jersey Administrative Code allows a $10 search fee to be charged for providing copies of medical records to third parties, a charge of $1 per page, and the actual cost of postage and media for sending the records (e.g. a CD). Cipriani & Werner claims the charge should have solely consisted of a $10 search fee and no per-page fee should have been charged as the records were not printed.

The lawsuit states, “Regardless of whether MRO was providing copies of only a few pages of records or hundreds of pages, the cost to MRO of copying electronically stored records and transmitting them to the purchaser took the same amount of time and effort.” Cipriani & Werner suggests the entire process took less than 5 minutes.

Law firm, Schnader Harrison Segal & Lewis of Cherry Hill, NJ, which represents MRO, maintains fee were entirely lawful and were in line with state regulations.

The lawsuit references a 2015 memo from the New Jersey State Department which forbids medical record providers from charging per-page fees for electronically transmitted copies of medical records and for per-page charges to be applied when records are sent to purchasers through computer equipment. However, in this case the state department memo does not apply as the department of Health in New Jersey does not have any authority over MRO and the memo did not go through official rule-making processes in the State of New Jersey.

The class members are primarily attorneys and insurance companies who purchased copies of electronic medical records from MRO from September 2015 to February 2020, who were similarly charged for electronic copies of medical records in civil cases. The lawsuit only names MRO, not any healthcare providers that use MRO for managing requests for medical records.

The post Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records appeared first on HIPAA Journal.

Several lawsuits filed against healthcare organizations over data breaches in recent weeks, with University of Washington Medicine the latest to face legal action for exposing the protected health information of patients.

The lawsuit has been filed over a December 2018 data breach that saw the personal information of 974,000 patients exposed over the internet as a result of a misconfigured server. The misconfigured server contained an accounting of disclosures database that included patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was disclosed. Some individuals also had information exposed relating to a research study they were enrolled in, their health condition, and the name of a lab test that had been performed. For certain patients, sensitive information was exposed. According to the lawsuit, that included a patient’s HIV test-taking history and, in some cases, the patient’s HIV status. Social Security numbers, financial information, health insurance information, and medical records were not exposed.

The server misconfiguration occurred on December 4, 2018. UW Medicine was alerted to the breach when a patient discovered a file containing their records that had been indexed by Google. UW Medicine found and corrected the misconfiguration on December 26, 2018.

UW Medicine explained in a press release issued on February 20, 2019 that the database was accessible for a period of three weeks and UW Medicine worked closely with Google to have all indexed information removed from Google’s servers. That process was completed by January 10, 2019.

The lawsuit, filed in King County Superior Court, alleges UW Medicine was negligent and failed to properly safeguard the protected health information of its patients and did not inform patients promptly that their PHI had been exposed. The lawsuit alleges patients have suffered “real, significant, and continuing injury,” have suffered distress and loss of reputation as a result of the breach, and have been placed at an increased risk of identity theft, fraud, and abuse.

The lawsuit also references an earlier UW Medicine data breach as further evidence of inadequate information security practices: A 2013 malware infection that occurred as a result of an employee opening an infected email attachment. That incident impacted 90,000 patients.

The investigation of the breach by the HHS’ Office for Civil Rights found UW Medicine had violated the HIPAA Security Rule by failing to implement adequate policies and procedures to prevent, detect, contain, and correct security violations. In 2015, UW Medicine settled the case with OCR for $750,000 and agreed to adopt a corrective action plan that included conducting “a comprehensive risk analysis of security risks and vulnerabilities and develop an organization-wide risk management plan.”

“[UW Medicine’s] substandard security practices have now compromised nearly one million patients’ PHI, greatly exceeding the scope of the 2013 breach, in violation of its statutory and professional standard of care obligations, in breach of Plaintiffs and the Class’ reasonable expectations when they decided to form a patient physician relationship with UW Medicine, and thereby diminishing the value of the services UW Medicine provided and that its patients paid for,” argue the plaintiffs in the lawsuit.

The lawsuit seeks full disclosure about the information that was compromised, statutory damages and legal fees, and calls for UW Medicine to adopt sufficient secure practices and safeguards to prevent further data breaches in the future.

The post UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach appeared first on HIPAA Journal.