Legal News

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Posted by HIPAA Journal

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data.

In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud.

Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network.

The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door open to hackers. FTC chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach.” A financial penalty was therefore appropriate.

Under the terms of the settlement, Equifax has committed to pay up to $700 million and is required to implement a much stronger cybersecurity program. The company must undergo annual security audits and submit to external data security audits every two years. Any third party that is provided with access to Equifax’s consumer data must also be vetted to ensure they also have appropriate data security measures in place.

The settlement includes a $300 million fund to provide monetary relief to victims of the breach. The fund will be used for credit monitoring services and to cover victims’ out of pocket expenses that have arisen from the breach. A further $125 million must be added to the fund if the $300 million is not sufficient to cover all of the claims. Claims have been capped at $20,000 per person.

The Consumer Financial Protection Bureau (CFPB) will receive $100 million in civil penalties and $175 million will be split between the 48 states, Washington D.C., and Puerto Rico. From 2020, Equifax must provide consumers with 6 free credit reports a year for the next 7 years, in addition to the three years already provided.

The settlement is certainly sizeable, but there has been considerable criticism of the level of the fine. Many believe the penalty is not nearly severe enough for a publicly traded company the size of Equifax, especially considering the breach exposed the data of almost half of all Americans.

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” said Rep. Frank Pallone, (D-N.J), Chairman of the House Energy and Commerce Committee. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

“We don’t have a general privacy legislation like the GDPR in Europe. Our authority is actually pretty limited in privacy,” said FTC Chairman Joseph Simons. “We can’t go out and tell companies, ‘You can’t collect this, you can’t use it this way, you can’t use it that way.”

Equifax is pleased to have finally resolved the case. Equifax CEO Mark Begor said the settlement is a positive step for U.S. consumers and Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

In addition to the $700 million settlement, Equifax was fined £500,000 by the UK Information Commissioner’s Office – The maximum fine permitted prior to the introduction of GDPR. Had the breach occurred a year later, the fine could have been as high as 4% of the company’s global annual turnover.

Equifax announced in Mary 2019 that so far the company has spent $1.4 billion remediating the breach, updating its computer systems, and strengthening security.

The post Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case appeared first on HIPAA Journal.

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

Posted by HIPAA Journal

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine to Haga Hospital in the Hague. Haga Hospital has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018.

The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated.

In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’.

The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing log files to identify unauthorized data access. The lack of appropriate security measures to protect personal data was in violation of GDPR requirements and a fine was deemed necessary. The hospital will now be monitored to make sure that security is improved. Further fines will be issued if security is not brought up to the standards demanded by GDPR.

The hospital has been given until October 2, 2019 to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.

Last year, a similar fine was issued to Centro Hospitalar Barreiro Montijo in Portugal by the Portuguese data protection authority. The hospital had also failed to secure records and prevent unauthorized access from within the hospital. The Portuguese hospital was fined €400,000 for its security failures.

The post Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine appeared first on HIPAA Journal.

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

Posted by HIPAA Journal

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019.

The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records.

Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden.

The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies and procedures to make sure they are compliant with the new rules.

The main purpose of the new rules is to improve patient rights and make it easier – and quicker – for patients to obtain copies of their health information and access to their EHRs.

As required by HIPAA, patients must be provided with a copy of their medical records on request within 30 days of the request being received. Under the new rules in Idaho, access to EMRs must be provided within 3 days of the request being received. The copy must also be provided in a readily readable format on a popular portable media storage device.

HIPAA limits the amount that can be charged for providing patients with copies of their health information. The new Idaho rules further protect patients by only permitting hospitals to charge a reasonable fee for labor and restricting the charges for copies to the cost of copying at the local library.

A patient’s right to privacy has been further protected. Patients have the right to privacy when personal care is being provided, which extends to continuous observation and video and audio monitoring of patients. As of July 1, 2019, hospitals are not permitted to record video or audio, except in common areas, without first obtaining written consent from the patient. Those recordings must then be included in a patient’s medical record.

The new rules also cover notices of discontinuation of care, advance directives, obtaining and documenting informed consent, patient safety, patient grievances, restraint and seclusion, and law enforcement restraints.

The post Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules appeared first on HIPAA Journal.

Premera Blue Cross Settles Multi-State Action for $10 Million

Posted by HIPAA Journal

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general.

The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of sensitive data and how the attack went undetected for almost a year.

The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all HIPAA-covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The investigators determined that Premera Health violated HIPAA by failing to meet minimum standards for security.

This was not an oversight. Premera Health had been repeatedly told by its own auditors that its security program was inadequate. The risks of a data breach were accepted without any corrections being made to address vulnerabilities.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir S. Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

In addition to the financial penalty, Premera Blue Cross is required to implement further security controls to ensure the electronic protected health information of its plan members is better protected. Annual cybersecurity reviews must also be conducted by a third-party cybersecurity expert and data security reports must be sent to the attorneys general.

Premera Blue Cross must also hire a CISO with experience in HIPAA compliance and data security who will be responsible for implementing and maintaining Premera Health’s security program. The CISO is required to attend regular meetings with executive management and must meet with the CEO at least every 2 months. The CISO is also required to report any network breaches within 48 hours of discovery.

It has been an expensive four weeks for Premera Blue Cross. Last month, Premera Blue Cross agreed to pay $74 million to settle a class action lawsuit filed by plan members affected by the breach.

The post Premera Blue Cross Settles Multi-State Action for $10 Million appeared first on HIPAA Journal.

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

Posted by HIPAA Journal

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students.

The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images.

The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool.

J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others.

J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The Giatras Law Firm, and is seeking compensatory and punitive damages.

Three motions to dismiss the lawsuit have been submitted by the defendants Cabell Huntington Hospital; Marshall University Joan C. Edwards School of Medicine and Marshall University Board of Governors; and Radiology Inc.

They are seeking to have the case dismissed as it was not filed in the proper venue and because they say the plaintiff failed to state a claim on which relief can be granted.

PHI Exposed in Break in at Pardee UNC Health Care

Pardee UNC Health Care is notifying certain patients that some of their PHI has potentially been compromised during a break in at its facility at 2029 Asheville Hwy, Hendersonville, NC. The break-in was discovered on May 9, 2019. Thieves gained entry to the basement of the building and stole electronic equipment.

No electronic protected health information was exposed as the computers did not have hard drives, but while searching the basement a stack of 590 Federal Drug Testing Custody and Control forms were found. The forms contained names, phone numbers, birth dates, social security numbers, employers’ name, driver’s license numbers, and results of the drug screening test and dated from October 2003 to December 2004.

Officials at Pardee did not find any evidence to suggest information had been viewed or stolen, but the stack of files had been moved to a place where they would have been in full view of the thieves as they entered the basement, so there is a possibility that PHI has been compromised.

All files have now been removed from the basement and are in a secure storage facility. Pardee UNC had previously stored paperwork in several locations. The paperwork has now been retrieved and been moved to a single, secure storage facility.

“We are reviewing existing employee training and record retention protocols and policies and will reinforce and revise as needed, said Jennifer Melia, Compliance & Privacy Officer for Pardee UNC Health Care.

UNC Health Care is offering 12 months of free credit monitoring protection services to affected individuals. It is unclear how many individuals have been affected.

The post Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool appeared first on HIPAA Journal.

UChicago Accused of Illegally Sharing Patient Data with Google

Posted by HIPAA Journal

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization.

UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified.

In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients.

The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information to be tied to a particular patient.

The lawsuit was filed by a former patient of UChicago Medicine, Matt Dinerstein, who had been admitted to UChicago Medicine on two occasions in June 2015.

In the lawsuit, Dinerstein claims that huge quantities of patient data were provided to Google without authorization from patients and that patient information was not correctly deidentified. Currently, Dinerstein is the only plaintiff named in the lawsuit, but the suit will be expanded to a class action should other patients come forward.

According to a spokesperson for UChicago Medicine, the claims in the lawsuit are “without merit” and no information was shared with any third-party in violation of HIPAA or other regulations protecting patient privacy.

While several hospitals participated in the study and supplied patient data to Google, UChicago data differed as it contained time stamps and information about when patients were admitted and discharged from hospital.

Google confirmed in a 2018 research paper on scalable and accurate deep learning for electronic health records that medical record data had been obtained from UChicago Medicine and that all data were deidentified, but dates of service were included in the data set.

Since Google already holds vast quantities of data on individuals, it could potentially tie the UChicago Medicine data to other information to re-identify patients.

The lawsuit claims that since Google acquired DeepMind in 2014, the company has the machine learning technologies to be able to tie medical records to personal information in Google User accounts, although no evidence has been obtained by the law firm to suggest Google has misused any patient data.

“We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over,” said Jay Edelson, founder of Edelson PC, a law firm that specializes in class action lawsuits against tech companies.

The post UChicago Accused of Illegally Sharing Patient Data with Google appeared first on HIPAA Journal.

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

Posted by HIPAA Journal

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm.

Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017.

Kalina accessed the records of friends, old classmates, and individuals that she had an aggrievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction.

Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the moan to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical information of the new office manager and one other Zottola employee was disclosed.

Zottola informed UPMC and Kalina was terminated. She was later hired by Allegheny Health Network where she is alleged to have continued to access patient records without authorization. In total, Kalina accessed the records of 111 patients without authorization.

Kalina took responsibility for her actions but claimed she was going through a difficult time in her life and had health issues. She also claimed she was not aware she was breaking the law and thought she was not prohibited from looking at patient files. Kalina and her legal team were seeking probation due to Kalina’s ongoing family commitments.

Prosecutors argued Kalina had been provided with HIPAA training and was aware that she was breaking the law and to claim ignorance of that was ‘a complete farce.” The U.S. attorney’s office sought a jail term of between 6 and 12 months.

At sentencing, U.S. District Judge Arthur Schwab opted for a jail term at the top end of that scale as the crime was particularly ‘egregious.’ Kalina was sentenced to 12 months in jail followed by 3 years of probation. During that time frame Kalina is not permitted to have any contact with any of the 111 victims.

The post Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation appeared first on HIPAA Journal.

AMCA Parent Company Files for Chapter 11 Protection

Posted by HIPAA Journal

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection.

The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected.

The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response.

The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach notification letters. Fuchs explained in the court filing that the firm had incurred “enormous expenses that were beyond the ability of the debtor to bear.”

Retrieval-Masters was formed in 1977 by Russell Fuchs and was initially focused on small-dollar debt collections for direct mail marketers but has since moved into patient receivables. The company now helps companies recover non-medical and medical debt. Retrieval-Masters stated in the filing that it had reduced staff numbers from 113 to 25 at the end of 2018.

The Chapter 11 filing in the Southern District of New York stated the company is seeking to liquidate assets and liabilities as high as $10 million to cover the rising costs of the cyberattack.

The filing also sheds some light on how the breach was detected.

The breach was first reported on databreaches.net, which had been contacted by researchers at Gemini Advisory who had identified a batch of stolen credit cards and Social Security numbers on a darknet marketplace. Gemini Advisory analysts were able to tie the data to AMCA and issued a notification.

The filing stated AMCA learned about the breach after being notified that a large number of credit cards tied to its payment portal had been used to make fraudulent purchases.

There are still many questions that have not yet been answered related to how access was gained to the payment page and whether the breach was the result of cybersecurity failures. Several state attorneys general have written to AMCA demanding answers.

The post AMCA Parent Company Files for Chapter 11 Protection appeared first on HIPAA Journal.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

Posted by HIPAA Journal

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

The post Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach appeared first on HIPAA Journal.