Legal News

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

Posted by HIPAA Journal

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled.

The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The man alleges the impermissible disclosure to his ex-wife was the reason that attempt failed.

The man complained to Costco about the privacy violation and received a letter in reply stating the pharmacist had violated Costco policies and HIPAA Rules by disclosing details of the prescription to his ex-wife. The man subsequently sued Costco alleging a variety of tort claims relating to the failure to cancel the prescription and the privacy violation, but the lawsuit was dismissed by the trials court.

The ruling was appealed and was partially overturned in the Arizona Court of Appeals. Presiding Judge Jennifer M. Perkins reversed the decision on the negligence and punitive damages claims, although affirmed the dismissal of all other claims.

Judge Perkins ruled that Costco had a duty of care to the plaintiff arising from Costco’s privacy policies and HIPAA laws and that the duty of care was breached. The overturning of the trial court ruling will see the case returned to a lower court for further proceedings.

There is no private cause of action in HIPAA, so it is rare for lawsuits to be filed over HIPAA violations. In most cases where patient privacy has been violated and legal action is taken, lawsuits are filed for violations of state laws. The ruling is the first in the state of Arizona to accept a negligence claim based on violations of HIPAA Rules.

“HIPAA does not preempt state-law negligence claims for wrongful disclosure of medical information. Accordingly, we hold HIPAA’s requirements may inform the standard of care in state-law negligence actions just as common industry practice may establish an alleged tortfeasor’s duty of care and to the extent such claims are permitted under [state law] A.R.S. § 12-2296,” wrote the Judge in her ruling.

The post Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation appeared first on HIPAA Journal.

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

Posted by HIPAA Journal

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach.

The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach.

The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed.

Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI.

For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and medications. Certain patients also had their Medicare number, health insurance information, and/or Social Security number exposed. At the time of issuing notifications – April 8, 2019 – to affected patients, Baystate Health had not been able to confirm whether PHI had been viewed or copied, but no reports had been received to suggest any PHI had been misused.

As a precaution against identity theft and fraud, individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months at no cost.

Baystate Health has taken reasonable steps to improve email security and prevent further data breaches from occurring. Those steps include providing further training for employees, with a specific focus on improving resilience to phishing attacks. Controls have also been implemented to prevent email account access from outside the organization and the frequency of email logging and log reviews has been increased.

Typically, class action lawsuits seeking damages for the exposure of PHI are only successful when it can be established, on the balance of probabilities, that harm has been suffered as a direct result of a data breach. Only in Illinois is it not necessary to establish harm has occurred as a result of the exposure of personal information for lawsuits to have standing.

“This isn’t the first time the medical center allowed confidential information to be accessed,” explained Chrisanthopoulos. “This is unconscionable, and we need to send a message that this cannot happen again.”

Baystate Health had experienced a similar phishing attack in 2016. In that incident, five employee email accounts were breached and the PHI of 13,112 patients was exposed.

The post Class Action Lawsuit Filed Over Baystate Health Phishing Attack appeared first on HIPAA Journal.

New Washington Breach Notification Law Unanimously Passed by Legislature

Posted by HIPAA Journal

A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days.

Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number.

The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements:

  • Full date of birth
  • Military ID numbers
  • Biometric data
  • Passport ID numbers
  • Student ID numbers
  • Medical histories
  • Health insurance ID numbers
  • Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed.
  • Keys for electronic signatures

With the exception of online account credentials, the new data elements could be classed as personal information even if they are not combined with an individual’s first and last name.

Notifications will need to be issued if one or more of the above data elements is compromised and has not first been made unusable – through encryption – and if the breach of that information is reasonably likely to place an individual at risk of harm.

The timescale for issuing notifications has been reduced from 45 days to 30 days after the discovery of a breach, although notifications should be issued in the most expedient time possible and without unreasonable delay. A notification must also be sent to the state Attorney General within the same timeframe.

As is the case in California, the new data breach notification law stipulates the information that must be included in breach notification letters. The letters must state the date of the breach, the discovery date, its duration (if known), and the types of information that were compromised or exposed. The Attorney General notification must also include the number of state residents affected (or an estimate if the actual number is not known) and the steps that have been taken to contain the breach.

Healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with the new breach notification law if they are in compliance with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The post New Washington Breach Notification Law Unanimously Passed by Legislature appeared first on HIPAA Journal.

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

Posted by HIPAA Journal

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted.

The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the devices have been accessed or misused. Some of the plaintiffs named in the lawsuit alleged they have suffered identity theft/fraud as a result of the breach, but the university maintains that such cases were not the result of the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be far lower than the continued cost of legal action.

In January 2019, a settlement of $5.26 million was agreed by the WSU Board of Regents. While the final settlement is lower, it does not include the cost of credit monitoring and identity theft protection services for individuals impacted by the breach. In addition to settlement amount, Washington State University will cover the cost of two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of individuals who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to cover out-of-pocket expenses and lost time, provided those costs can be proven. The fund for covering those claims is $3.5 million. If that total is exceeded, claim amounts will be reduced pro rata. Approximately $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will cover administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also agreed to update policies and procedures and enhance security. Backup data will now be stored in a more secure location, data security assessments and audits will be regularly conducted, and additional training will be provided to staff. IT contracts in relation to the research project will be cancelled and those functions will be handled in house and archived data from the research project will be permanently destroyed.

The settlement highlights the importance of using encryption to protect stored data, especially data stored on portable electronic devices. In the event of loss or theft of a device, data cannot be accessed and such an incident would not be classed as a reportable breach.

The post Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million appeared first on HIPAA Journal.

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

Posted by HIPAA Journal

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.

National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million

Posted by HIPAA Journal

A settlement has been reached to resolve a class action lawsuit filed on behalf of victims of an alleged data breach at the National Board of Examiners in Optometry (NBEO) in 2016.

In the summer of 2016, hackers gained access to the sensitive information of optometrists and students, although it is unclear how the hackers obtained sensitive information and what database or system was hacked.

Breach investigations did not uncover any evidence of unauthorized access to any databases containing sensitive credentials. The American Optometric Association (AOA), American Academy of Optometry (AAO) and NBEO all investigated the breach and claimed, and still do, that they were not the source of the breach.

A breach certainly occurred as several optometrists and students had received Chase Amazon Visa credit cards in the mail that they had not applied for and many had credit card applications pending.

Following the breach, legal action was taken by 13 doctors of optometry who claimed the targeted information was still available. The cases were consolidated, but were thrown out as the breach could not be traced to NBEO and any allegations of harm were deemed speculative. However, the 4th Circuit U.S. Court of Appeals overturned the ruling of the lower court and allowed the case to proceed, ruling that it was “plausible and likely” that NBEO was the source of the breach and that it was clear that personal information had been misused.

NBEO still disputes it was the source of the breach but has now agreed to settle the case and will make $3.25 million available to compensate the 61,000 victims of the breach. Individuals eligible for a proportion of the settlement include those whose personal information was stored by NBEO in its systems as of November 15, 2018 along with individuals who have received notification that they have been named as class members.

The settlement will provide reimbursement for documented, out-of-pocket expenses traceable to the data breach, associated professional/legal fees, and the costs of credit repair services and other charges incurred after June 1, 2016 in relation to the breach. Claims will be considered up to a maximum of $7,500.

Claims can also be submitted for reimbursement for the time spent remedying issues related to the breach, up to a maximum of $1,000 per class member.

All breach victims will be entitled to three years of three-bureau credit monitoring services at no cost and free access to identity theft restoration services, all of which will be provided through Identity Guard. Victims will also be protected by a $1,000,000 insurance policy to cover losses due to identity theft and fraud.

NBEO has also agreed to overhaul its data security measures and will be retaining a third-party security firm to conduct a risk assessment of data security, encryption will be used on personal information, and the board will no longer store Social Security numbers in its database.

The settlement has received preliminary approval and the final hearing is scheduled for July 12, 2019.

The post National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million appeared first on HIPAA Journal.

Class Action Lawsuit Filed Over UConn Health Phishing Attack

Posted by HIPAA Journal

A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018.

The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought.

The email accounts of multiple employees were compromised as a result of the attack. In total, 326,000 UConn Health patients had some of their personal and health information exposed in the breach. Most of the individuals affected by the breach only had a limited amount of PHI exposed, although approximately 1,500 patients had their name, address, date of birth, and Social Security number, and some medical information compromised.

The lawsuit alleges UConn Health was negligent for failing to protect the private information of its patients there was a failure to provide timely, accurate, and adequate notification of the breach. The lawsuit explains there were major deficiencies in UConn Health’s security protocols, which allowed the breach to go undetected for months. According to the lawsuit, the first email accounts were breached in August 2018, but UConn Health only detected the breach in December 2018. It then took until February 25, 2019 for patients to be informed of the breach of their PHI.

For four months the attackers had access to the accounts and could have viewed and stolen patient information. “UConn failed to recognize its systems had been breached and that intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the breach,” states the lawsuit.

The lawsuit also alleges security awareness training was inadequate and UConn Health did not teach employees how to identify a potential phishing email.

The lawsuit names Yoselin Martinez as the plaintiff and there are more than 100 putative class members who were similarly affected by the breach. The lawsuit seeks damages in excess of $5 million.

Yoselin Martinez was alerted to the breach on February 25, 2019 and checked her bank account and found that an unauthorized transaction had placed her in overdraft. She alleges the transaction was the result of the fraudulent use of her information that was stolen from UConn Health.

Plaintiffs are being represented by law firm Glancy, Prongay, & Murray LLP.

The post Class Action Lawsuit Filed Over UConn Health Phishing Attack appeared first on HIPAA Journal.

D.C. Attorney General Proposes Tougher Breach Notification Laws

Posted by HIPAA Journal

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach.

On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach.

Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.

If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.

Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches similar to the one experienced by Equifax. That breach affected 143 million individuals globally and 350,000 D.C. residents.

Additionally, the Security Breach Protection Amendment Act requires companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of District residents to implement safeguards to ensure personal information remains private and confidential.

The Security Breach Protection Amendment Act also requires companies to explain to consumers the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.

In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years membership to identity theft protection services free of charge. The D.C. attorney general would also need to be notified about a breach of personal information, although the timescale for doing so is not stated in the bill.

Violations of the Security Breach Protection Amendment Act would be considered a violation of the D.C. Consumer Protection Procedures Act and could attract a significant financial penalty.

This is not the first time that Attorney General Racine has sought to increase protections for consumers in the event of a data breach. A similar bill was introduced in 2017 but it failed to be passed by the D.C Council.

The Security Breach Protection Amendment Act must first be approved by the Mayor and D.C. Council, then it will be passed to Congress which will have 30 days to complete its review.

The update follows similar amendments that have been proposed in several states and territories over the past few months. While the updates are good news for Americans whose sensitive information is exposed, the current patchwork of state laws can be complicated for businesses, especially those that operate in multiple states.

What is needed is a federal breach notification law that standardizes data breach notification requirements and uses a common definition for ‘personal information’. Such a bill has been proposed in the House and Senate on three occasions in the past three years, but each time it has failed to be passed and signed into law.

The post D.C. Attorney General Proposes Tougher Breach Notification Laws appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.