Legal News

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

Posted by HIPAA Journal

A lawsuit has been filed against Atchison Hospital in Kansas by a sexual assault victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital.

According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties.

Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient.

Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

A complaint was filed with the hospital over the privacy violation and an internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorized accessing of her medical records and interviews were conducted with staff members.

No evidence was uncovered to suggest the woman’s electronic medical records had been accessed inappropriately, but the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  The hospital confirmed to the woman that the X-ray technician was not part of her care team and was not authorized to view her records.

The hospital apologized for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, details of the former employee’s conduct were not disclosed to Cushing Hospital and a positive review was provided. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson issued a statement to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

The lawsuit accuses the hospital of having inadequate policies in place to protect against the unauthorized accessing of patient information and claims the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The lawsuit seeks punitive damages.

The post Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker appeared first on HIPAA Journal.

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Posted by HIPAA Journal

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice.

32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment, the international hacking scheme saw Wang and other members of the hacking group conduct highly sophisticated cyberattacks on businesses starting in February 2014. Those attacks continued until at least January 2015.

The attacks started by sending spear phishing emails to employees of the targeted businesses. Those emails contained hyperlinks to a malicious website. When the links were clicked, they triggered the download of a file containing a malware downloader. When the file was executed, a backdoor was installed in the system that gave the hackers access to the business network through a server controlled by the hackers. Wang has been accused of registering two domains that were used for the spear phishing attack and for communicating with the malware.

After gaining access business networks, the hackers moved laterally searching for information of interest, in some cases waiting months before proceeding with the attack. In the case of the attack on Anthem, its systems were accessed on multiple occasions between October and November 2014. The aim was to find sensitive business information and the personally identifiable information of its plan members, according to the indictment.

Once sensitive data had been identified, it was combined into encrypted archive files and was exfiltrated through a variety of computers to destinations in China. The vast quantities of data were exfiltrated from Anthem on multiple occasions in January 2015. After data was exfiltrated, the hackers deleted the archive files in an attempt to avoid detection. The attacks on the other businesses were linked to Wang via the two domains used in the Anthem attack.

The FBI was able to launch an investigation promptly as a result of the attacked companies reporting the breaches to the FBI, and along with their continued cooperation with the investigation, the FBI was able to successfully identify the individuals behind the cyberattacks.

The speed at which Anthem notified the FBI about the attack was a key factor in being able to determine who was responsible for the breach. FBI Special Agent in Charge Grant Mendenhall said “[This] should serve as an example to other organizations that might find themselves in a similar situation.”

Assistant Attorney General Benczkowski said “The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

The post Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records appeared first on HIPAA Journal.

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

Posted by HIPAA Journal

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled.

The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The man alleges the impermissible disclosure to his ex-wife was the reason that attempt failed.

The man complained to Costco about the privacy violation and received a letter in reply stating the pharmacist had violated Costco policies and HIPAA Rules by disclosing details of the prescription to his ex-wife. The man subsequently sued Costco alleging a variety of tort claims relating to the failure to cancel the prescription and the privacy violation, but the lawsuit was dismissed by the trials court.

The ruling was appealed and was partially overturned in the Arizona Court of Appeals. Presiding Judge Jennifer M. Perkins reversed the decision on the negligence and punitive damages claims, although affirmed the dismissal of all other claims.

Judge Perkins ruled that Costco had a duty of care to the plaintiff arising from Costco’s privacy policies and HIPAA laws and that the duty of care was breached. The overturning of the trial court ruling will see the case returned to a lower court for further proceedings.

There is no private cause of action in HIPAA, so it is rare for lawsuits to be filed over HIPAA violations. In most cases where patient privacy has been violated and legal action is taken, lawsuits are filed for violations of state laws. The ruling is the first in the state of Arizona to accept a negligence claim based on violations of HIPAA Rules.

“HIPAA does not preempt state-law negligence claims for wrongful disclosure of medical information. Accordingly, we hold HIPAA’s requirements may inform the standard of care in state-law negligence actions just as common industry practice may establish an alleged tortfeasor’s duty of care and to the extent such claims are permitted under [state law] A.R.S. § 12-2296,” wrote the Judge in her ruling.

The post Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation appeared first on HIPAA Journal.

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

Posted by HIPAA Journal

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach.

The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach.

The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed.

Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI.

For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and medications. Certain patients also had their Medicare number, health insurance information, and/or Social Security number exposed. At the time of issuing notifications – April 8, 2019 – to affected patients, Baystate Health had not been able to confirm whether PHI had been viewed or copied, but no reports had been received to suggest any PHI had been misused.

As a precaution against identity theft and fraud, individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months at no cost.

Baystate Health has taken reasonable steps to improve email security and prevent further data breaches from occurring. Those steps include providing further training for employees, with a specific focus on improving resilience to phishing attacks. Controls have also been implemented to prevent email account access from outside the organization and the frequency of email logging and log reviews has been increased.

Typically, class action lawsuits seeking damages for the exposure of PHI are only successful when it can be established, on the balance of probabilities, that harm has been suffered as a direct result of a data breach. Only in Illinois is it not necessary to establish harm has occurred as a result of the exposure of personal information for lawsuits to have standing.

“This isn’t the first time the medical center allowed confidential information to be accessed,” explained Chrisanthopoulos. “This is unconscionable, and we need to send a message that this cannot happen again.”

Baystate Health had experienced a similar phishing attack in 2016. In that incident, five employee email accounts were breached and the PHI of 13,112 patients was exposed.

The post Class Action Lawsuit Filed Over Baystate Health Phishing Attack appeared first on HIPAA Journal.

New Washington Breach Notification Law Unanimously Passed by Legislature

Posted by HIPAA Journal

A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days.

Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number.

The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements:

  • Full date of birth
  • Military ID numbers
  • Biometric data
  • Passport ID numbers
  • Student ID numbers
  • Medical histories
  • Health insurance ID numbers
  • Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed.
  • Keys for electronic signatures

With the exception of online account credentials, the new data elements could be classed as personal information even if they are not combined with an individual’s first and last name.

Notifications will need to be issued if one or more of the above data elements is compromised and has not first been made unusable – through encryption – and if the breach of that information is reasonably likely to place an individual at risk of harm.

The timescale for issuing notifications has been reduced from 45 days to 30 days after the discovery of a breach, although notifications should be issued in the most expedient time possible and without unreasonable delay. A notification must also be sent to the state Attorney General within the same timeframe.

As is the case in California, the new data breach notification law stipulates the information that must be included in breach notification letters. The letters must state the date of the breach, the discovery date, its duration (if known), and the types of information that were compromised or exposed. The Attorney General notification must also include the number of state residents affected (or an estimate if the actual number is not known) and the steps that have been taken to contain the breach.

Healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with the new breach notification law if they are in compliance with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The post New Washington Breach Notification Law Unanimously Passed by Legislature appeared first on HIPAA Journal.

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

Posted by HIPAA Journal

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted.

The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the devices have been accessed or misused. Some of the plaintiffs named in the lawsuit alleged they have suffered identity theft/fraud as a result of the breach, but the university maintains that such cases were not the result of the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be far lower than the continued cost of legal action.

In January 2019, a settlement of $5.26 million was agreed by the WSU Board of Regents. While the final settlement is lower, it does not include the cost of credit monitoring and identity theft protection services for individuals impacted by the breach. In addition to settlement amount, Washington State University will cover the cost of two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of individuals who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to cover out-of-pocket expenses and lost time, provided those costs can be proven. The fund for covering those claims is $3.5 million. If that total is exceeded, claim amounts will be reduced pro rata. Approximately $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will cover administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also agreed to update policies and procedures and enhance security. Backup data will now be stored in a more secure location, data security assessments and audits will be regularly conducted, and additional training will be provided to staff. IT contracts in relation to the research project will be cancelled and those functions will be handled in house and archived data from the research project will be permanently destroyed.

The settlement highlights the importance of using encryption to protect stored data, especially data stored on portable electronic devices. In the event of loss or theft of a device, data cannot be accessed and such an incident would not be classed as a reportable breach.

The post Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million appeared first on HIPAA Journal.

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

Posted by HIPAA Journal

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.

National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million

Posted by HIPAA Journal

A settlement has been reached to resolve a class action lawsuit filed on behalf of victims of an alleged data breach at the National Board of Examiners in Optometry (NBEO) in 2016.

In the summer of 2016, hackers gained access to the sensitive information of optometrists and students, although it is unclear how the hackers obtained sensitive information and what database or system was hacked.

Breach investigations did not uncover any evidence of unauthorized access to any databases containing sensitive credentials. The American Optometric Association (AOA), American Academy of Optometry (AAO) and NBEO all investigated the breach and claimed, and still do, that they were not the source of the breach.

A breach certainly occurred as several optometrists and students had received Chase Amazon Visa credit cards in the mail that they had not applied for and many had credit card applications pending.

Following the breach, legal action was taken by 13 doctors of optometry who claimed the targeted information was still available. The cases were consolidated, but were thrown out as the breach could not be traced to NBEO and any allegations of harm were deemed speculative. However, the 4th Circuit U.S. Court of Appeals overturned the ruling of the lower court and allowed the case to proceed, ruling that it was “plausible and likely” that NBEO was the source of the breach and that it was clear that personal information had been misused.

NBEO still disputes it was the source of the breach but has now agreed to settle the case and will make $3.25 million available to compensate the 61,000 victims of the breach. Individuals eligible for a proportion of the settlement include those whose personal information was stored by NBEO in its systems as of November 15, 2018 along with individuals who have received notification that they have been named as class members.

The settlement will provide reimbursement for documented, out-of-pocket expenses traceable to the data breach, associated professional/legal fees, and the costs of credit repair services and other charges incurred after June 1, 2016 in relation to the breach. Claims will be considered up to a maximum of $7,500.

Claims can also be submitted for reimbursement for the time spent remedying issues related to the breach, up to a maximum of $1,000 per class member.

All breach victims will be entitled to three years of three-bureau credit monitoring services at no cost and free access to identity theft restoration services, all of which will be provided through Identity Guard. Victims will also be protected by a $1,000,000 insurance policy to cover losses due to identity theft and fraud.

NBEO has also agreed to overhaul its data security measures and will be retaining a third-party security firm to conduct a risk assessment of data security, encryption will be used on personal information, and the board will no longer store Social Security numbers in its database.

The settlement has received preliminary approval and the final hearing is scheduled for July 12, 2019.

The post National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million appeared first on HIPAA Journal.

Class Action Lawsuit Filed Over UConn Health Phishing Attack

Posted by HIPAA Journal

A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018.

The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought.

The email accounts of multiple employees were compromised as a result of the attack. In total, 326,000 UConn Health patients had some of their personal and health information exposed in the breach. Most of the individuals affected by the breach only had a limited amount of PHI exposed, although approximately 1,500 patients had their name, address, date of birth, and Social Security number, and some medical information compromised.

The lawsuit alleges UConn Health was negligent for failing to protect the private information of its patients there was a failure to provide timely, accurate, and adequate notification of the breach. The lawsuit explains there were major deficiencies in UConn Health’s security protocols, which allowed the breach to go undetected for months. According to the lawsuit, the first email accounts were breached in August 2018, but UConn Health only detected the breach in December 2018. It then took until February 25, 2019 for patients to be informed of the breach of their PHI.

For four months the attackers had access to the accounts and could have viewed and stolen patient information. “UConn failed to recognize its systems had been breached and that intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the breach,” states the lawsuit.

The lawsuit also alleges security awareness training was inadequate and UConn Health did not teach employees how to identify a potential phishing email.

The lawsuit names Yoselin Martinez as the plaintiff and there are more than 100 putative class members who were similarly affected by the breach. The lawsuit seeks damages in excess of $5 million.

Yoselin Martinez was alerted to the breach on February 25, 2019 and checked her bank account and found that an unauthorized transaction had placed her in overdraft. She alleges the transaction was the result of the fraudulent use of her information that was stolen from UConn Health.

Plaintiffs are being represented by law firm Glancy, Prongay, & Murray LLP.

The post Class Action Lawsuit Filed Over UConn Health Phishing Attack appeared first on HIPAA Journal.