Legal News

Judge Questions Whether Website Metadata is Regulated by HIPAA

The HHS’ Office for Civil Rights released guidance in 2022 on HIPAA and website tracking technologies and confirmed disclosures of protected health information to third parties via website tracking technologies is a HIPAA violation unless authorization has been received from patients or if there is a valid business associate agreement in place. OCR and the Federal Trade Commission also wrote to 130 healthcare and telehealth providers to warn them about tracking technologies on their websites and OCR has made HIPAA violations related to website tracking tools an enforcement priority.

However, OCR’s interpretation that metadata is regulated under the Health Insurance Portability and Accountability Act has been questioned by an Illinois court in a ruling on a class action lawsuit that was filed against a healthcare provider over the disclosure of patient data via website tracking technologies.

The lawsuit – Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health – was filed in District Court for the Northern District of Illinois, Eastern Division and alleged that third-party tracking code had been placed on the defendant’s website and MyChart patient portal which resulted in the plaintiffs’ individually identifiable health information (IIHI) being disclosed to Facebook, Google, and Bidtellect for advertising purposes.

The lawsuit was initially dismissed for the failure to state a claim aside from the request for injunctive relief, then an amended complaint was filed that asserted the same 5 claims plus a further 6. The lawsuit alleged violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986, breach of an implied duty of confidentiality, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, violations of the Illinois Uniform Deceptive Trade Practices Act, intrusion upon seclusion, publication of private facts, trespass to chattels, breach of contract, breach of the duty of good faith and fair dealing, unjust enrichment, and violations of the Illinois Eavesdropping Act.

Rush moved to have the amended lawsuit dismissed and the court granted the motion for all counts aside from the breach of contract and Illinois Eavesdropping Act claims. The lawsuit claimed that per OCR guidance, the disclosure of IIHI to Meta, Google, and Bidtellect was a HIPAA violation; however, in the ruling dismissing the wiretapping claim, the court rejected using the HHS bulletin as a basis for assessing liability under federal wiretapping laws and also questioned whether website metadata actually qualified as IIHI.

“The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual,” wrote District Judge, Matthew F. Kennelly. “The type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category.”

While it is possible that information disclosed in private communications between the plaintiff and the defendant via the website may have been transmitted to third parties and the transmitted information may qualify as IIHI, the plaintiff contended that it was unreasonable to expect her to disclose that type of intimate information she transmitted to the defendant in her complaint. “Kurowski could have requested to file the complaint under seal,” wrote Kennelly. “Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.”

The post Judge Questions Whether Website Metadata is Regulated by HIPAA appeared first on HIPAA Journal.

Potential HIPAA Right of Access Violation Settled for $80,000

The UnitedHealthcare Insurance Company (UHIC) has agreed to settle an alleged failure to provide timely access to Protected Health Information for $80,000. The voluntary resolution agreement also requires the company to comply with a Corrective Action Plan for a minimum of a year.

In 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) launched an enforcement initiative in response to an increasing number of complaints alleging violations of 45 CFR §164.524 – the access of individuals to Protected Health Information (PHI). To date, the agency has investigated hundreds of complaints and reached settlement agreements in forty-five cases.

The latest settlement agreement relates to a complaint made against UHIC by a customer who had requested a copy of their PHI in January 2021. When the request was not responded to within the allowed time, the customer complained to OCR. The agency initiated an investigation in April 2021, but it was not until July that the customer received the PHI they had requested six months earlier.

According to the resolution agreement, when UHIC was made aware of the issue by OCR, the company conducted its own internal investigation and determined that the compliance failure was attributable to an employee oversight. Despite the company’s cooperation during the investigation, OCR concluded UHIC had failed to provide timely access to PHI in violation of 45 CFR §164.524.

In addition to settling the alleged violation for $80,000, UHIC has agreed to comply with a Corrective Action Plan for a minimum of a year. The Plan requires UHIC to revise where appropriate its policies and procedures relating to customer access requests, distribute revised policies to its workforce, and provide material change training to members of the workforce affected by the change.

The Corrective Action Plan also requires UHIC to submit quarterly reports to OCR listing the dates when access requests are received, the dates they are responded to and the fees charged to individuals. The reports will also have to provide OCR with information relating to the format of access requested, the format provided, and – if requested on paper – the number of pages provided.

In the press release accompanying the announcement of the settlement, OCR Director Melanie Fontes Rainer said:

“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement. Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

The post Potential HIPAA Right of Access Violation Settled for $80,000 appeared first on HIPAA Journal.

Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action

A class action lawsuit against Meta over the disclosure of health data to the social media giant has been allowed to proceed by a federal judge. The judge issued a tentative order allowing the lawsuit to advance for several of the claims made by the plaintiffs; however, the number of claims has been reduced by around half.

The consolidated lawsuit, John Doe v Meta Platforms Inc., filed in the U.S. District Court for the Northern District of California, alleges the plaintiffs and class members had their medical privacy violated by Facebook’s Meta Pixel tracking tool. The lawsuit alleges that Meta knew, or should have known, that the Pixel tool was being used improperly on the websites of hospitals. The lawsuit alleges at least 664 hospital systems and medical providers were sending medical information to Facebook through the Meta Pixel tool. According to the lawsuit, the improper use of the tracking tool resulted in “the wrongful, contemporaneous, re-direction to Facebook of patient communications to register as a patient, sign-in or out of a supposedly “secure” patient portal, request or set appointments, or call their provider via their computing device.” The data was then used to create and serve individuals with personalized ads.

As the HHS’ Office for Civil Rights confirmed in 2022 guidance on HIPAA and tracking technologies, these tools can only be used if there is a HIPAA-compliant business relationship with the tracking technology vendor or if valid HIPAA authorizations have been obtained. Since Meta is not a business associate and there were no HIPAA authorizations, the disclosures were impermissible under HIPAA.

Meta states in its terms and conditions that partners are required to have a lawful right to collect and share data before providing it to Meta. Meta argued that it is the responsibility of web developers to ensure that appropriate permission is obtained before Meta Pixel is used on websites and said that it explains to web developers how they can meet their legal obligations when using the Pixel tool. “There’s no statutory or common law doctrine that would allow the plaintiffs to impose liability upon Meta for the decision of third parties to send Meta data that it doesn’t want, that it has contractually barred them from sending in,” said Meta attorney, Lauren Goldman.

U.S. District Judge William Orrick III denied Meta’s motion to dismiss on several counts, allowing the lawsuit to proceed for the alleged violations of federal and state wiretap laws, as the plaintiffs had sufficiently argued that Meta had not done enough to prevent the transmission of sensitive health data. Orrick found the plaintiffs had plausibly argued that the data collection occurred in California and Meta had not met its burden of proof to show that healthcare providers were given sufficient consent by Meta to collect sensitive medical information.

The extraterritoriality, Wiretap Act, California Invasion of Privacy Act (CIPA), unjust enrichment, and larceny claims were advanced; however, Orrick granted the motion to dismiss the privacy, contract, California Comprehensive Computer Data Access and Fraud (CDAFA) Act, negligence per se, trespass to chattels, Unfair Competition Law (UCL), and Consumer Legal Remedies Act (CLRA) claims. The plaintiffs’ attorneys are required to refile the lawsuit as some of the privacy claims lack sufficient detail about the types of information that were allegedly transmitted to Meta. The judge stated in the hearing on Wednesday in San Francisco federal court that a final order would be issued as soon as possible.

The post Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action appeared first on HIPAA Journal.

Advocate Aurora Health Settles Pixel Lawsuit for $12.25 Million

Advocate Aurora Health has proposed a $12.25 million settlement to resolve a consolidated class action lawsuit filed over the impermissible disclosure of patient data to third parties via tracking technologies. Advocate Aurora Health was one of the first HIPAA-regulated entities to report a Pixel-related data breach to the HHS’ Office for Civil Rights and notify patients that their protected health information had been impermissibly disclosed to unauthorized third parties via these tracking technologies.

Advocate Aurora Health had used tracking technologies such as Meta Pixel, Google Analytics, and other third-party tools on its website, patient portal, and scheduling app. The tracking tools were used to gain insights into the use of its website and app to better understand patient needs and to improve the services it provides. Advocate Aurora Health has since removed the tracking tools from its website, MyChart patient portal, and LiveWell App. The decision was taken to notify 3 million individuals that they had potentially been affected and had some of their sensitive data disclosed to third parties.

Several lawsuits were filed against Advocate Aurora Health after patient notifications were issued. The lawsuits were consolidated in the lawsuit, In Re Advocate Aurora Health Pixel Litigation. The plaintiffs/class representatives are Shyanne John, Richard Webster, Deanna Danger, James Gabriel, Katrina Jones, Derrick Harris, Amber Smith, Bonnie LaPorta, Angel Ajani, and Alistair Stewart.

The $12.25 million settlement is intended to resolve all claims from the consolidated lawsuit. 35% of the settlement amount will cover attorneys’ fees, class representatives will receive a service award of $3,500 each, and the remainder of the settlement will cover claims from class members, which will be paid pro rata. Claims will be accepted from individuals who had their information disclosed via the tracking tools between October 24, 2017, and October 22, 2022.

The settlement has received preliminary approval but will need final approval from the court. Class members will have the opportunity to object to or exclude themselves from the settlement. The final fairness hearing has not yet been set.

The post Advocate Aurora Health Settles Pixel Lawsuit for $12.25 Million appeared first on HIPAA Journal.

Performance Health Technology Facing Class Action Lawsuits Over MOVEit Cyberattack

Performance Health Technology (PH Tech), an Oregon-based provider of data management services to health insurers, is being sued by individuals who had their protected health information (PHI) compromised in a recent cyberattack. The attack on PH Tech was conducted by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The vulnerability was exploited on May 28, 2023, and Progress Software informed PH Tech about the flaw on June 2. The review of the affected files revealed that the data of several of its clients was stolen, including that of the Oregon Medicaid coordinated care organization, Health Share of Oregon.

The compromised information varied from individual to individual and included names, dates of birth, Social Security numbers, addresses, member ID numbers, plan ID numbers, email addresses, authorization information, diagnosis codes, procedure codes, and claim information. PH Tech explained in its notification letters that access to the platform was disabled as soon as the vulnerability was discovered, the patch was applied when it was released by Progress Software, and the MOVEit platform was rebuilt to prevent further unauthorized access.

PH Tech was one of hundreds of companies to have the vulnerability exploited. The Clop hacking group is known to have attacked at least 677 companies by exploiting the vulnerability and the records of more than 42 million individuals were stolen in the attacks.  The vulnerability was discovered and exploited by the Clop group before it was known to Progress Software and no patch was available at the time the vulnerability was exploited.

At least two lawsuits have now been filed in District Court in Oregon in response to the data breach that name PH Tech as a defendant – Ballard v. Performance Health Technology, Ltd. & Malo v. Performance Health Technology, Ltd. The Ballard lawsuit names PH Tech customer Jordinn Ballard as the plaintiff, and the Malo lawsuit names Katelin Malo as plaintiff, individually, and as the natural parent and next friend of K.J., a minor, and Corrinna Reed and Joann Kindred.

The lawsuits both allege PH Tech was negligent for failing to secure the personally identifiable (PII) and personal health information (PHI) of the plaintiffs and class members and failing to comply with industry standards for protecting information systems. The Ballard lawsuit claims PH Tech failed to monitor its servers for potential security issues and the Malo lawsuit claims that PH Tech’s lax security was a violation of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules and a violation of FTC guidelines.

In addition to negligence, the Malo lawsuit alleges negligence per se, breach of implied contract, unjust enrichment, and violations of the Oregon Unfair Trade Practices Act. The lawsuit also seeks an order from the court requiring PH Tech to improve data security, including engaging third-party security auditors to conduct testing, penetration testing, and audits of PH Tech’s systems, run automated security monitoring, train its staff, and improve access controls and firewalls.

The lawsuits claim that the plaintiffs’ sensitive data is in the hands of cybercriminals and that they face imminent and ongoing harm from the misuse of their data and will need to monitor their financial and personal records for years to come. Both lawsuits seek class action status, a jury trial, and damages in excess of $5 million.

The post Performance Health Technology Facing Class Action Lawsuits Over MOVEit Cyberattack appeared first on HIPAA Journal.

Tampa General Hospital Sued over 1.2 Million Record Data Breach

Tampa General Hospital (TGH) is being sued over a data breach in which hackers gained access to the sensitive data of up to 1.2 million patients. The data breach, one of the largest healthcare data breaches to be experienced in Florida, prompted Senator Rick Scott (R-FL) to write to the FBI and request the investigation of the incident be prioritized to bring the perpetrators to justice.

TGH said the breach investigation confirmed that hackers had access to its network between May 12, and May 30, 2023, and exfiltrated files containing patient information. Those files included names, contact information, dates of birth, Social Security numbers, and health insurance information. The security breach was detected on May 31, 2023. The lawsuit was filed by the law firm Morgan & Morgan and alleges TGH failed to implement appropriate security measures to safeguard the confidentiality, integrity, and availability of patients’ protected health information, and as a result of TGH’s “cavalier attitude toward cybersecurity and patient privacy,” hackers were able to steal highly sensitive patient information. The lawsuit also takes issue with the time taken to detect the breach and alert patients. Hackers had access to the network for 19 days prior to detection and TGH waited until July 19, 2023, to issue notifications to the affected individuals.

The lawsuit was filed on behalf of three plaintiffs and other individuals similarly affected by the data breach. The plaintiffs have chosen to remain anonymous and one of the plaintiffs claims to have already fallen victim to identity theft as a result of the data breach. The lawsuit also points out that this is not the first data breach to have occurred at TGH. TGH experienced a data breach in 2014 which was reported to the HHS’ Office for Civil Rights as an unauthorized electronic medical record access incident affecting 675 patients.

The lawsuit alleges negligence, invasion of privacy, unjust enrichment, breach of fiduciary duty, and breach of confidence and seeks damages, restitution, and injunctive relief. The law firm issued a statement about the lawsuit, which was recently filed in Hillsborough County. “It is our hope that this lawsuit will not only secure justice and accountability for the patients whose privacy and peace of mind have been irrevocably violated, but also will spur Tampa General Hospital to take additional steps to protect their patients’ privacy in a manner appropriate for the current climate of cyber-attacks.”

The post Tampa General Hospital Sued over 1.2 Million Record Data Breach appeared first on HIPAA Journal.

Norton Healthcare Facing Class Action Lawsuit Over BlackCat Cyberattack

Norton Healthcare, a Kentucky-based operator of more than 140 clinics and hospitals in Kentucky and Southern Indiana, is facing a class action lawsuit over a May 2023 cyberattack and data breach. Norton Healthcare has only disclosed limited information about the attack; however, the BlackCat ransomware group announced that it was behind the cyberattack and leaked some of the data stolen from Norton Healthcare on its data leak site. The stolen information included names, addresses, email addresses, dates of birth, Social Security numbers, government identification ID numbers, driver’s license numbers, payment/financial institution information, health insurance providers, medical treatment information, medical diagnoses, medications, medical images, and lab test results. The breach was reported to the HHS’ Office for Civil Rights as affecting 501 individuals, as the number of affected individuals has yet to be determined.

On July 21, 2023, a class action lawsuit was filed in U.S. District Court on behalf of plaintiff Lanisha Malone and similarly situated individuals who had their sensitive data stolen in the attack. Malone was employed by Norton Healthcare between 2015 and 2022 and claims her sensitive information was stolen and attempts have already been made to misuse that information. Malone was contacted by her bank in relation to a suspicious $1,500 charge on her debit card, which was blocked by her bank, but she has also received multiple letters and phone calls about car payments that she does not owe. She claims to spend two hours each week monitoring her accounts and credit reports for suspicious activity and said the attempted fraud has caused her great anxiety and stress due to fears about her personal and financial safety.

Despite the attack occurring on May 9, Malone claims not to have been notified by Norton Healthcare about the data breach and that Norton Healthcare has not provided any explanation as to why notification letters have not been issued to any of the victims. Norton Healthcare’s website notification says the investigation is ongoing and that it is close to restoring all operations.

The lawsuit seeks class action status, a jury trial, compensatory damages, and an order from the courts requiring Norton Healthcare to issue notifications to all affected individuals and update its security solutions to better protect patient data. The lawsuit also seeks 10 years of credit monitoring services for all victims of the breach.

The post Norton Healthcare Facing Class Action Lawsuit Over BlackCat Cyberattack appeared first on HIPAA Journal.

VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG

Vanderbilt University Medical Center (VUMC) in Nashville, TN, has confirmed that the medical records of transgender patients have been provided to Tennessee Attorney General, Jonathan Skrmetti, in connection with an investigation of medical billing fraud.

According to AG Skrmetti’s Chief of Staff, Brandon Smith, the medical records were requested as part of an investigation into medical billing fraud focused on VUMC and related healthcare providers, rather than patients. The AG’s office has not explained the nature of the fraud investigation to ensure the integrity of the investigative process.

VUMC has provided gender-affirming care to minors since 2018 and typically performs around 5 surgeries a year. VUMC said all procedures, none of which were genital procedures, were performed on minors over 16 years of age with parental consent. On Tuesday this week, VUMC confirmed that it provided patient records to the state Attorney General after receiving two civil investigative demands (CIDs); a move that has resulted in considerable backlash from the LGBTQ+ community. “The Tennessee Attorney General has legal authority in an investigation to require that VUMC provide complete copies of patient medical records that are relevant to its investigation. VUMC was obligated to comply and did so,” said VUMC spokesperson, John Howser.

Concerns have been raised about the disclosures in light of the soon-to-be-introduced ban on gender-affirming care for minors in Tennessee. The state law is due to take effect on July 1, 2023, and will prevent doctors from providing gender-affirming care to individuals under the age of 18. The law has been challenged and while the ban was partially blocked, prohibiting surgical procedures on minors but allowing puberty blockers and hormone therapies to be prescribed, the 6th Circuit Court of Appeals lifted that block, reinstating the ban on all gender-affirming care for minors.

Since the VUMC announcement, several individuals have taken to social media platforms alleging the medical record disclosures violated HIPAA and patient privacy. HIPAA places restrictions on disclosures of medical records but permits disclosures in response to “an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law.” In such cases, the information provided must be relevant to the inquiry and if de-identified protected health information could not reasonably be provided. VUMC has not confirmed how many records were disclosed in response to the CIDs but said the records requested by the Attorney General dated back to 2018 and that the patients concerned had been enrolled in TennCare insurance plans. The individuals concerned were notified by VUMC that their records had been provided to the state Attorney General as part of a civil investigation.

HIPAA permits but does not require healthcare providers to disclose patient data and VUMC has been criticized for not making a stand, although refusing the request would only likely have delayed the disclosures. The affected patients are fearful that regardless of the outcome of the fraud investigation, the Attorney General’s office will still have a list of individuals who have received gender-affirming care. Brandon Smith expressed concern about the decision of VUMC to make the disclosures public knowledge, stating “We are surprised that VUMC has deliberately chosen to frighten its patients like this,” and claimed the VUMC investigation has been running since September 2022 and VUMC has been providing information pertinent to the investigation since December 2022.

The medical record disclosures have prompted a class action lawsuit by two of the affected patients who allege VUMC was aware that the state has been targeting the transgender community, yet still provided patient records to the Attorney General and violated the HIPAA Rules by doing so. The lawsuit claims VUMC disclosed the information of 106 individuals, including individuals “on the state employees’ health plan and their family members, and people who receive their health care through TennCare,” as well as the information of some individuals who were not VUMC Transgender Health Clinic patients. According to the lawsuit, an additional CID was issued for all communications between VUMC’s Dr. Melissa Ciperski and others working at Centerstone regarding or related to a potential gender dysphoria diagnosis of a person receiving mental health treatment at Centerstone.

The lawsuit, filed by the law firm Herzfeld, Suetholtz, Gastel, Leniski & Wall, and Abby Rubenfeld, takes issue with the amount of data provided, which included highly sensitive health information including photographs of genitalia, private communication with clinicians, sexual histories, and the identities of intimate partners, and the failure to provide de-identified information in response to the CIDs.

The post VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG appeared first on HIPAA Journal.

OSHA Issues Final Rule Requiring Employers in High-Hazard Industries to Submit Annual Injury and Illness Data

On July 17, 2023, the Occupational Safety and Health Administration (OSHA) issued a final rule that requires employers in certain high-hazard industries to electronically submit data from their Log of Work-Related Injuries and Illnesses (Form 300) and Injury and Illness Incident Report (Form 3010). The requirement for electronic submission of information from Form 300A – Summary of Work-Related Injuries and Illnesses – has been retained in the final rule and will continue to be required from organizations with 20-249 employees in certain high-hazard industries and organizations with 250 or more employees in industries that are required to routinely keep OSHA injury and illness records. The new requirements apply to establishments covered by federal OSHA as well as those covered by states with their own occupational safety and health programs.

High-hazard industries include ambulatory health care services, general medical and surgical hospitals, psychiatric and substance abuse hospitals, specialty hospitals, nursing care facilities, residential intellectual and developmental disability, mental health, and substance abuse facilities, continuing care retirement communities, and assisted living facilities for the elderly, and other residential care facilities.

From January 1, 2024, employers with 100 or more employees in high-hazard industries must submit work-related injury and illness data and their injury and illness report once a year. OSHA has confirmed that it will not collect employee names or addresses, names of health care professionals, or names and addresses of facilities where treatment was provided if treatment was provided away from the work site from Forms 300 and 301.

OSHA will start publishing data from these submissions on its website to allow employers, employees, current and potential customers, researchers, and the general public to find out about an organization’s record of safety and health in the workplace to help them make informed decisions about employment and whether to do business with those organizations. The publication of safety and health information is expected to help reduce injuries and illnesses in the workplace.

The post OSHA Issues Final Rule Requiring Employers in High-Hazard Industries to Submit Annual Injury and Illness Data appeared first on HIPAA Journal.