Legal News

AMCA Breach Sparks Flurry of Lawsuits and Investigations

Posted by HIPAA Journal

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach.

The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised.

The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months.

It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been a flurry of class action lawsuits filed on behalf of victims of the breach. Plaintiffs in the lawsuits claim to have been harmed as a result of the data breach.

Most of the lawsuits name one or more of the laboratories where testing occurred – Quest Diagnostics, LabCorp and BioReference Laboratories. A small number also name AMCA and the company Optum360. Optum360 was a business associate of Quest Diagnostics. Under certain circumstances, when a patient did not pay a bill, Quest Diagnostics sent the patient’s information to Optum360, which passed the data to AMCA for collection.

Several of the class action lawsuits allege negligence and breach of implied contract for failing to secure personal information. One complaint alleges the use of encryption and the adoption of national and industry standards were warranted to prevent reasonably foreseeable harm to patients. However, even though the defendants had the funds available to implement controls to prevent the breach, they failed to adequately invest in their security programs.

The lawsuits allege various violations of state laws and are seeking damages, monetary relief, and penalties to be issued over the privacy violation.

Only a small percentage of the individuals have been notified about the breach by AMCA – mostly individuals who had their financial information exposed. The healthcare organizations that provided AMCA with health information are still waiting to receive details of all individuals affected. As more notification letters are sent, is likely that the numbers of affected individuals in these class-action lawsuits will swell and further lawsuits will be filed.

In addition to battling the class action lawsuits, all of the entities involved now face scrutiny by state and federal regulators and Congress. The breach will certainly be investigated by the HHS’ Office for Civil Rights to determine whether HIPAA Rules have been violated. So far, at least six state attorneys general have launched investigations into the breach: Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut and have demanded answers about the breach.

If the investigations do uncover noncompliance with state or federal laws, financial penalties may be pursued. Already this year, state attorneys general have joined forces and filed a multi-state HIPAA lawsuit against Medical Informatics Engineering over its 2014 data breach. That breach resulted in a settlement of $900,000.

The post AMCA Breach Sparks Flurry of Lawsuits and Investigations appeared first on HIPAA Journal.

Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities

Posted by HIPAA Journal

Oregon has updated its breach notification laws, broadening the definition of consumer information, updating the definition of covered entity, expanding the law to cover vendors, and has clarified how the data breach notification law applies to entities covered by HIPAA, the HITECH Act, and the Gramm-Leach-Bliley Act.

The update (Senate Bill 684) renames The Oregon Consumer Identity Theft Protection Act as The Oregon Consumer Information Protection Act, which will come into effect on January 1, 2020.

The update expands the definition of personal information to include usernames and other means of identifying a consumer which would allow access to be gained to a consumer’s account, along with any method used to authenticate a user.

The definition of covered entity has been updated to “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.”

A vendor is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

Vendors are now required to notify the covered entity of a breach within 10 days of that breach being discovered. If the vendor is a subcontractor of another vendor that deals with a covered entity, the subcontractor must notify its vendor about a breach within 10 days. Vendors are also required to send a notification to the Oregon Attorney General if a breach impacts more than 250 consumers or “a number of consumers that the vendor could not determine.”

The Oregon Consumer Identity Theft Protection Act already required covered entities to implement an information security program and reasonable safeguards to protect any data maintained, stored, managed, processed, collected, received, or otherwise acquired.

Under the new Oregon Consumer Information Protection Act, covered entities and vendors that are able to demonstrate compliance with the security requirements of federal laws such as HIPAA and the HITECH Act can use that as an affirmative defense in actions and proceeding that allege noncompliance with the security requirements of the Oregon Consumer Information Protection Act to maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information. That exception applies even if the types of data are covered by the Oregon Consumer Information Protection Act but are not covered by the requirements of those federal acts.

The post Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities appeared first on HIPAA Journal.

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Posted by HIPAA Journal

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

The post Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts appeared first on HIPAA Journal.

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

Posted by HIPAA Journal

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations.

The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment.

The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped.

The women subsequently sued the hospital and the employee for violating her privacy by disclosing her health information to law enforcement.

The HIPAA Privacy Rule limits uses and disclosures of protected health information to treatment, payment, and healthcare operations, but there are exceptions. One of those exceptions is when a disclosure is made when there is a perceived serious threat to health or safety. The Privacy Rule permits such a disclosure if the disclosure is made to a person who could prevent or lessen a threat to either to the patient or the public.

Under the circumstances, the disclosure was reasonable and appropriate, which is what the Supreme Court ultimately concluded, affirming the Superior Court’s judgement. The disclosure was determined to have been made in order to mitigate an imminent threat to both the patient and the public. The Court rules “no reasonable factfinder could determine the disclosure was for any other purpose.” The plaintiff failed to prove that the disclosure had been made for any other purpose, such as in order for the patient to be arrested and charged.

The ruling is perfectly understandable; however, what is atypical is the case was given standing when state and HIPAA laws do not include a private cause of action. Patients do not have the right to sue their providers over violations of HIPAA laws and laws in Vermont also do not give patients that right. The case was ruled to have standing under a common-law private right of action for damages.

While the lawsuit was not successful, it could be cited in other lawsuits filed by patients who allege their privacy has been violated by their healthcare providers.

The post Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation appeared first on HIPAA Journal.

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

Posted by HIPAA Journal

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

The post $74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit appeared first on HIPAA Journal.

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

Posted by HIPAA Journal

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

The post $74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Posted by HIPAA Journal

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

Posted by HIPAA Journal

A lawsuit has been filed against Atchison Hospital in Kansas by a sexual assault victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital.

According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties.

Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient.

Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

A complaint was filed with the hospital over the privacy violation and an internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorized accessing of her medical records and interviews were conducted with staff members.

No evidence was uncovered to suggest the woman’s electronic medical records had been accessed inappropriately, but the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  The hospital confirmed to the woman that the X-ray technician was not part of her care team and was not authorized to view her records.

The hospital apologized for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, details of the former employee’s conduct were not disclosed to Cushing Hospital and a positive review was provided. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson issued a statement to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

The lawsuit accuses the hospital of having inadequate policies in place to protect against the unauthorized accessing of patient information and claims the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The lawsuit seeks punitive damages.

The post Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker appeared first on HIPAA Journal.

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Posted by HIPAA Journal

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice.

32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment, the international hacking scheme saw Wang and other members of the hacking group conduct highly sophisticated cyberattacks on businesses starting in February 2014. Those attacks continued until at least January 2015.

The attacks started by sending spear phishing emails to employees of the targeted businesses. Those emails contained hyperlinks to a malicious website. When the links were clicked, they triggered the download of a file containing a malware downloader. When the file was executed, a backdoor was installed in the system that gave the hackers access to the business network through a server controlled by the hackers. Wang has been accused of registering two domains that were used for the spear phishing attack and for communicating with the malware.

After gaining access business networks, the hackers moved laterally searching for information of interest, in some cases waiting months before proceeding with the attack. In the case of the attack on Anthem, its systems were accessed on multiple occasions between October and November 2014. The aim was to find sensitive business information and the personally identifiable information of its plan members, according to the indictment.

Once sensitive data had been identified, it was combined into encrypted archive files and was exfiltrated through a variety of computers to destinations in China. The vast quantities of data were exfiltrated from Anthem on multiple occasions in January 2015. After data was exfiltrated, the hackers deleted the archive files in an attempt to avoid detection. The attacks on the other businesses were linked to Wang via the two domains used in the Anthem attack.

The FBI was able to launch an investigation promptly as a result of the attacked companies reporting the breaches to the FBI, and along with their continued cooperation with the investigation, the FBI was able to successfully identify the individuals behind the cyberattacks.

The speed at which Anthem notified the FBI about the attack was a key factor in being able to determine who was responsible for the breach. FBI Special Agent in Charge Grant Mendenhall said “[This] should serve as an example to other organizations that might find themselves in a similar situation.”

Assistant Attorney General Benczkowski said “The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

The post Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records appeared first on HIPAA Journal.