Legal News

D.C. Attorney General Proposes Tougher Breach Notification Laws

Posted by HIPAA Journal

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach.

On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach.

Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.

If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.

Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches similar to the one experienced by Equifax. That breach affected 143 million individuals globally and 350,000 D.C. residents.

Additionally, the Security Breach Protection Amendment Act requires companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of District residents to implement safeguards to ensure personal information remains private and confidential.

The Security Breach Protection Amendment Act also requires companies to explain to consumers the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.

In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years membership to identity theft protection services free of charge. The D.C. attorney general would also need to be notified about a breach of personal information, although the timescale for doing so is not stated in the bill.

Violations of the Security Breach Protection Amendment Act would be considered a violation of the D.C. Consumer Protection Procedures Act and could attract a significant financial penalty.

This is not the first time that Attorney General Racine has sought to increase protections for consumers in the event of a data breach. A similar bill was introduced in 2017 but it failed to be passed by the D.C Council.

The Security Breach Protection Amendment Act must first be approved by the Mayor and D.C. Council, then it will be passed to Congress which will have 30 days to complete its review.

The update follows similar amendments that have been proposed in several states and territories over the past few months. While the updates are good news for Americans whose sensitive information is exposed, the current patchwork of state laws can be complicated for businesses, especially those that operate in multiple states.

What is needed is a federal breach notification law that standardizes data breach notification requirements and uses a common definition for ‘personal information’. Such a bill has been proposed in the House and Senate on three occasions in the past three years, but each time it has failed to be passed and signed into law.

The post D.C. Attorney General Proposes Tougher Breach Notification Laws appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Posted by HIPAA Journal

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook.

Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation.

Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials.

Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information.

Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the name of the employee in the letter sent in response to her complaint, Graziano learned that the individual was Jessica Wagner, the current girlfriend of her ex-boyfriend David Wirth. Both individuals have also been named in the legal action.

In her lawsuit, Wagner is alleged to have accessed Graziano’s medical records for a period of 37 minutes, then impermissibly disclosed some of her medical information to Wagner, who then posted the information on social media sites with intent to cause Graziano harm.

Northwestern Medicine has confirmed that appropriate disciplinary action has been taken against the employee over the HIPAA violation and the Department of Health and Human Services has been notified of the HIPAA breach. It is unclear whether criminal charges have been filed against Wagner. CBS Chicago reports that Wagner was fired over the HIPAA violation.

Northwestern Medicine has issued an apology and has offered Graziano 12 months of credit monitoring services as a precaution against identity theft and fraud.

The post Northwestern Medicine Sued Over Medical Information Disclosure on Twitter appeared first on HIPAA Journal.

Lawmakers Propose Florida Biometric Information Privacy Act

Posted by HIPAA Journal

Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills (SB 1270 /HB 1153) that require all private entities to obtain written consent from consumers prior to collecting and using their biometric data.

The Florida Biometric Information Privacy Act is similar to the Illinois Biometric Information Privacy Act which was signed into law in 2008 and would require private entities to notify consumers about the reasons for collecting biometric information and the proposed uses of that information when obtaining consent. Policies covering data retention and disposal of the information would also need to be made available to the public. Private entities would also be prohibited from profiting from an individual’s biometric information and must not sell, lease, or trade biometric information.

Private entities will be required to implement safeguards to protect stored biometric information to ensure the information remains private and confidential. When the purpose for collecting the information has been achieved, or after three years following the last interaction with an individual, the data must be securely destroyed.

Biometric data is classed as any information based on an individual’s biometric identifiers that can be used to identify an individual, such as an iris/retina scan, fingerprint, voice print, or face scan. It does not include information such as handwriting samples, signatures, biological samples, medical images, or photographs. The Act would also not apply to any information captured, used, or stored by HIPAA-covered entities for the provision of treatment, payment for healthcare, or operations covered by the HIPAA Privacy Rule.

The Florida Biometric Information Privacy Act includes a private right of action which would allow consumers to take legal action against entities that have violated their privacy and recover damages of between $1,000 and $5,000 as well as reasonable attorney fees.

“This common-sense legislation will give Floridians the peace of mind to know that their most valuable information is being handled responsibly and that these private companies will be held accountable for the improper use or unauthorized distribution of their information,” explained DuBose.

If the Florida Biometric Information Privacy Act is passed, it is due to take effect from October 1, 2019.

The post Lawmakers Propose Florida Biometric Information Privacy Act appeared first on HIPAA Journal.

Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm

Posted by HIPAA Journal

A former employee of an affiliate of University of Pittsburgh Medical Center (UPMC) who was discovered to have accessed the medical records of patients without authorization has pleaded guilty to one count of wrongful disclosure of health information and now faces a fine and jail term for the HIPAA violation.

Ms. Linda Sue Kalina, 61, of Butler, PA, had previously worked as a patient care coordinator at Tri Rivers Musculoskeletal (TRM) between March 7, 2016 and June 23, 2017 before moving to Allegheny Health Network (AHN) where she worked from July 24, 2017 to August 17, 2017.

Between December 2016 and August 2017, Ms. Kalina was accused of accessing the files of 111 UPMC patients and 2 AHN patients without authorization or any legitimate work reason for doing so. According to her indictment, she also disclosed the PHI of four of those patients to individuals not authorized to receive the information.

Prior to working at TRM, Ms. Kalina had been employed at Frank J. Zottola Construction for 24 years until she was fired from the position of office manager. While at TRM and AHN, Ms. Kalina had impermissibly accessed the medical records of employees of the construction firm, including the gynecological records of the woman who replaced her.

Ms. Kalina was accused of sending an email to the company controller in June 2017 in which she disclosed the woman’s gynecological records and also left a voicemail revealing information from those records to another Zottola employee in August 2017.

Zottola contacted UPMC to complain about the privacy violation, and after an internal investigation, Ms. Kalina was fired. The HIPAA violation case was then pursued by the Department of Justice.

Ms. Kalina was indicted on six counts in the summer of 2018 in relation to wrongfully obtaining and disclosing PHI in violation of HIPAA, including disclosing PHI with intent to cause malicious harm.

In federal court, Ms. Kalina pleaded guilty to one count of wrongful disclosure of ePHI with intent to cause harm – leaving the voicemail message and admitted having accessed the medical records of more than 100 individuals without authorization.

U.S. District Judge Arthur Schwab agreed to release Ms. Kalina on bond pending sentencing on June 25, 2019. Ms. Kalina was ordered not to make contact with any of the victims and the victims were instructed not to make contact with Ms. Kalina.

Ms. Kalina faces a fine of up to $250,000 for the HIPAA violations and a sentence of up to 10 years in jail.

The post Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm appeared first on HIPAA Journal.

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

Posted by HIPAA Journal

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach.

New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed.

The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie. Current state governor Phil Murphy is expected to sign the bill.

The bill closes a gap in current laws that would allow businesses to avoid notifying consumers of breaches of online information. If online accounts are compromised, criminals can gain access to a range of sensitive information that can be used for identity theft and fraud. If an online account can be accessed by someone else as a result of a data breach, consumers have the right to be informed so they can take steps to secure their accounts.

Under the new law, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if the cost of providing notices would exceed $250,000 or if more than 500,000 individuals have been affected. In such cases, breach victims should be emailed, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must deliver notices by other means, such as providing a conspicuous notice when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

Any business or public entity found to have willfully violated state data breach notification laws can be fined up to $10,000 for a first offense and up to $20,000 for any subsequent offenses. There is also a private right of action for individuals who have suffered ascertainable losses as a result of a data breach.

The post New Jersey Expands Definition of Personal Information Requiring Breach Notifications appeared first on HIPAA Journal.

New Cybersecurity Requirements for Ohio Health Insurers

Posted by HIPAA Journal

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information.

The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals.

Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in relation to physical/mental health, the provision of healthcare, or payment for healthcare.

The security program must ensure the security of information and information systems is protected, that threats to the security and integrity of information and information systems are mitigated, safeguards must be implemented to prevent unauthorized data access, and a mechanism must be put in place to ensure nonpublic information is permanently destroyed when no longer required.

Licensees are required to designate a party to be responsible for the security program and must identify reasonably foreseeable threats that could threaten the confidentiality, integrity, and availability of nonpublic information. Risks must be assessed for the likelihood of a breach and potential damage that could be caused. Risks must be managed, and safeguards put in place to manage threats must be assessed to ensure they are sufficient. Safeguards’ key controls, systems, and procedures must be reassessed at least annually to ensure they remain effective.

The security program should reflect the size and complexity of the licensee, the nature of its activities, the use of third-party service providers, and the sensitivity of the data.

If a security event is experienced that results in unauthorized access to information systems or nonpublic information that has a reasonable likelihood of resulting in material harm to a consumer or could have an adverse effect normal business operations, the Ohio Superintendent of Insurance must be notified within three days of the discovery of incident if the Licensee is based in Ohio. The Ohio Superintendent of Insurance must also be notified of a security event that affects 250 or more Ohio residents or warrants a notification to a government agency. Notifications must also be issued to consumers affected by the security incident in accordance with other state laws.

The new law applies to all individuals and non-government entities that are licensed under insurance laws in Ohio that have 20 or more employees, more than $5 million in gross annual revenue, or more than $10 million in assets.

Entities that are in compliance with the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with Senate Bill 273.

Licensees will be given one year to comply with the new requirements. The effective compliance date is therefore March 20, 2020.

The post New Cybersecurity Requirements for Ohio Health Insurers appeared first on HIPAA Journal.

California Bill Seeks to Expand State Data Breach Notification Law

Posted by HIPAA Journal

The data breach notification laws in California are already some of the toughest in the United States, although they could soon become even tougher if a new bill is signed into law.

Currently, California law requires data breach notifications to be issued to consumers when there has been a breach of financial/banking information, Social Security numbers, health insurance information, medical information, driver’s license numbers, passwords, and data collected through automated license plate recognition systems. The new bill seeks to expand that list to include passport numbers and biometric data such as fingerprints, iris/retina scans, and facial recognition data.

The bill – AB 1130 – was introduced by Assemblymember Marc Levine (D-San Rafael) and seeks to close a loophole in the current data breach notification law which could see breaches of highly sensitive information go unreported.

The massive data breach at Marriott in 2018 prompted the bill. A database containing the sensitive information of guests of the Starwood Hotels chain was stolen, resulting in the theft of guests’ names, addresses, and more than 25 million passport numbers. In total, the personal information of 327 million guests was stolen by cybercriminals.

Current data breach notification laws in California would have allowed such a breach of passport numbers to go unreported and consumers would not have needed to be notified. While Marriott did issue notifications, other companies may not have been so forthcoming about such a breach.

“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Xavier Bercerra. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

If the bill is passed, California will join Alabama, Florida, and Oregon in requiring breach notifications to be issued for breaches of passport numbers and states such as Iowa and Nebraska, which already require breach notifications to be issued for the exposure of biometric data.

The post California Bill Seeks to Expand State Data Breach Notification Law appeared first on HIPAA Journal.

Maryland Considers Tougher Penalties for Ransomware Attacks

Posted by HIPAA Journal

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state.

The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock.

Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more.

The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable costs of verifying whether a system has been altered, acquired, damaged, deleted, disrupted, or destroyed.

The penalty for a ransomware attack that results in more than $1,000 in losses would increase to a maximum fine of $100,000 and up to 10 years imprisonment. If the attack results in aggregate losses of less than $1,000, the crime would be a misdemeanor and could result in a fine of up to $25,000 and up to 5 years imprisonment.

Even being in possession of ransomware (for non-research purposes) could result in a hefty fine and prison term, even if no attacks have been conducted. Possession with intent could result in a fine of up to $10,000 and up to 10 years imprisonment.

It would also be possible for a person who has suffered a specific and direct injury as a result of a ransomware attack to bring a civil action against the attacker and for damages to be awarded and the cost of legal action to be recovered.

Ransomware poses a threat to all businesses, but healthcare organizations are especially vulnerable. Ransomware attacks on hospitals not only causes financial losses but could also potentially cause harm to patients. Loss of access to healthcare systems and encryption of patient data can disrupt medical services which could lead to fatalities.

Research conducted at Vanderbilt university in 2017 suggests ransomware attacks on hospitals could potentially result in 2,000 deaths a year. The financial losses can also be considerable. The ransomware attack on Maryland-based Medstar Health in 2016 is believed to have caused more than $30 million in losses.

The post Maryland Considers Tougher Penalties for Ransomware Attacks appeared first on HIPAA Journal.