Legal News

Flowers Hospital Data Breach Settlement Approved by Judge

Posted by HIPAA Journal

A class action data breach lawsuit filed against Flowers Hospital in Dothan, AL, in 2014 has finally been settled.

In 2014, an employee of Flowers Hospital stole the personal information of patients from the hospital laboratory and used the information to file fraudulent tax returns in the names of patients.

A deputy sheriff discovered patient files in the vehicle of laboratory employee, Karmarian Millender, during a traffic stop. The investigation revealed that Millender had been stealing patient records from the laboratory and had sold the information to tax fraudsters who filed fraudulent tax returns in patients’ names. Millender pleaded guilty to the theft of patient data and was sentenced to two years in prison.

Many patients incurred out-of-pocket expenses from paying for credit monitoring services, lost earnings from arranging those services and combatting identity theft, and lost interest from delayed tax refunds. A class action lawsuit was filed against the hospital to recover those costs.

The lawsuit alleged the hospital had been negligent by failing to implement adequate measures to prevent data theft. Flowers Hospital attempted to have the lawsuit dismissed for lack of standing and claimed that the plaintiffs failed to link the data breach to economic harm. A judge allowed the plaintiffs to amend the complaint and the motion to dismiss was not carried over to the updated filing.

It has taken nearly five years, but the lawsuit has finally been dismissed and Flowers Hospital has agreed to a settlement of up to $150,000. That settlement was recently approved by a judge. Up to 1,208 patients potentially had their protected health information stolen and those who filed claims will be awarded a proportion of the settlement amount.

The maximum claim per patient is $5,000, which covers loss of interest on delayed tax returns, the cost of credit monitoring services, and compensation from loss of earnings arranging those services; up to a maximum of 4 hours. The majority of breach victims are expected to be awarded up to $250 in damages.

The post Flowers Hospital Data Breach Settlement Approved by Judge appeared first on HIPAA Journal.

LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI

Posted by HIPAA Journal

A lawsuit has been filed on behalf of patients who had their protected health information stolen as a result of a malware infection at the Baltimore-based healthcare provider LifeBridge Health.

LifeBridge Health discovered the malware infection in March 2018; however, an investigation of the breach revealed the malware had been installed on one of its servers on or around September 27, 2016. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems.

During the 18 months that the malware was on its server, the protected health information of approximately 530,000 patients was allegedly stolen – Information such as names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information.

According to the lawsuit, filed by law firm Murphy, Falcon & Murphy, the malware was installed as a result of “LifeBridge’s failure to ensure the integrity of its servers and to properly safeguard patients’ highly sensitive and confidential information.”

The lawsuit claims the breach was the result of “a serious lack of judgement and oversight” on the part of LifeBridge Health for failing to implement appropriate safeguards to protect patients’ PII and PHI, and for allowing hackers to “freely roam its systems” for 18 months before the breach was discovered. Following the discovery of the breach.

The lawsuit claims the breach exposed patients to serious harm and that the conduct of LifeBridge Health violated many privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, the Maryland Social Security Number Privacy Act, and the Maryland Consumer Protection Act.

“This data breach has compromised every aspect of these patients’ personal identities and has subjected them to significant harm,” said Hassan Murphy, Managing Partner at Murphy, Falcon & Murphy.

While hackers gained access to sensitive patient information, it is currently unclear how many of those patients have suffered financial losses as a result of the breach. Something which will no doubt have to be proven if the lawsuit is to succeed.

Two defendants named in the lawsuit, Jahima Scott and Darlene Johnson, claim their identities were stolen and they became victims of credit card fraud shortly after the breach occurred. The plaintiffs are seeking damages in excess of $30,000.

The post LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI appeared first on HIPAA Journal.

$853,000 Awarded to Patient Whose PHI Was Impermissibly Disclosed to Former Boyfriend

Posted by HIPAA Journal

An 11-year lawsuit that was filed following the release of a woman’s medical records to her former boyfriend has finally come to an end and a jury has ruled in favor of the plaintiff.

Emily Byrne took legal action against Avery Center for Obstetrics and Gynecology in Westport, CT, following the release of her medical records to her former boyfriend’s attorneys. Emily Byrne broke up with her boyfriend, Andro Mendoza, after she discovered she was pregnant. Mendoza took legal action to obtain Byrne’s medical records. His attorneys issued a subpoena to Avery Center to release Byrne’s medical records and Avery Center complied.

According to Byrne’s lawsuit, Mendoza viewed her medical records and used the information to try to gain custody of the baby. The information was also allegedly also used to harass and extort money from Byrne.

The lawsuit claimed that as a result of the disclosure of her medical records, Byrne suffered emotional distress, trauma, and anxiety, was harassed by exposure to civil claims in federal district court, received threats from Mendoza of criminal charges, and suffered financial losses relating to legal fees and medical bills.

The lawsuit alleged a breach of contract, negligence, negligent misrepresentation, negligent infliction of emotional distress, and that the release of Byrne’s medical records constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The case came before the Connecticut Supreme Court twice. Avery Center attempted to get the case dismissed as there is no private cause of action in HIPAA; however, the Supreme Court ruled that a patient who suffered harm as a result of a breach of medical confidentiality had a tort remedy. The case was then remanded to the Superior Court for trial.

Avery Center had previously attempted to settle the case for $100,000 but the offer was rejected. Byrne was pursuing $1,000,000 in damages: The maximum amount covered by the Avery Center’s insurance policy.

After six days of testimony, the 6-person jury at the Brigdeport Superior Court in Connecticut ruled in favor of the plaintiff and Byrne was awarded $853,000 in damages.

“The case created new law,” said Byrne’s attorney, Bruce Elstein. “The Supreme Court ruled a patient has a remedy for breaches of medical responsibility and that never occurred before.”

The Avery Center has until December 26, 2018, to launch an appeal.

The post $853,000 Awarded to Patient Whose PHI Was Impermissibly Disclosed to Former Boyfriend appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.

Federal GDPR-Style Data Privacy Bill Introduced

Posted by HIPAA Journal

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Posted by HIPAA Journal

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI.

Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI.

On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC. OCR investigated and confirmed remote access to the calendar had continued and that the former employee had accessed the calendar on two occasions on July 8 and September 10, 2013 as a direct result of the failure to de-activate the former employee’s username and password. The calendar contained the electronic protected health information of 557 patients.

Further, the web-based calendar used by PSMC had been provided by a company (Google) that had not signed a business associate agreement with PSMC. Consequently, the use of the calendar in connection with ePHI constituted an impermissible disclosure. Without a BAA in place, PSMC had not received satisfactory assurances that Google would safeguard the ePHI contained in the calendar.

It should be noted that Google Calendar is now a “HIPAA compliant” calendar service, as it is included in Google’s BAA. However, unless a signed BAA is obtained by a covered entity prior to using the service in connection with any ePHI, it constitutes a HIPAA violation.

In addition to the financial penalty, PSMC has agreed to adopt a substantial corrective action plan to address all HIPAA compliance failures, including updating its security management and business associate agreement policies and procedures. Staff must also be trained on those new policies and procedures. The corrective action plan last for two years, during which time PSMC will have to submit annual reports to the HHS on whether it has met its compliance obligations.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

The settlement sends a message to all HIPAA covered entities of the importance of ensuring access to ePHI is promptly terminated when it is no longer required and serves as yet another reminder of the importance of making sure that a BAA is entered into with all vendors prior to any disclosure of ePHI.

This is the second OCR financial penalty for a HIPAA violation to be announced this month and the tenth OCR HIPAA penalty of 2018.

The post Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400 appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

Posted by HIPAA Journal

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

Posted by HIPAA Journal

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.