Legal News

Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI

Posted by HIPAA Journal

A former IT worker at Chilton Medical Center in New Jersey has been sentenced to 5 years’ probation for the theft of IT equipment that contained the protected health information of some of its patients.

Sergiu Jitcu, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients.

The subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications.

The theft was reported to the Morris County Prosecutor’s Office and was linked to Jitcu. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and recovered computer equipment and additional items that had been stolen from Chilton Medical Center.

Jitcu was charged and plead guilty to one count of computer criminal activity and one count of theft of computer equipment. The offenses occurred between January 1, 2015 and November 8, 2017.

A non-custodial sentence of five years’ probation was given to Jitcu on the condition that ongoing restitution payments be made to Chilton Medical Center totaling $64,250.

The post Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI appeared first on HIPAA Journal.

Virginia Superior Court Partially Reverses Lower Court Decision in Employee Snooping Case

Posted by HIPAA Journal

When healthcare employees access patient data without authorization it is a clear violation of the Health Insurance Portability and Accountability Act’s Privacy Rule, but is the employer liable for the privacy breach?

In 2016, Lindsey Parker, a patient of Carilion Healthcare Corp’s Carilion Clinic in Virginia, took legal action against the clinic and Carilion Healthcare Corp after it was discovered that two employees of the clinic had accessed her medical records and impermissibly disclosed a past diagnosis.

The privacy breach occurred in 2012 which parker was a patient of the Carillion Rocky Mount Obstetrics & Gynecology clinic. Parker was visiting the clinic about a matter unrelated to her previous diagnosis and while waiting for treatment, Parker spoke with an acquaintance in the waiting room – Trevor Flava.

Parker alleged that a Carillion employee, Christy Davis, saw the couple talking and accessed Parker’s medical record and saw her previous diagnosis. Davis is then alleged to have contacted her friend, Lindsey Young, who worked in another Carillion facility and disclosed the diagnosis and that Parker was conversing with Flava. Young then allegedly accessed Parker’s record, confirmed the diagnosis, and disclosed that diagnosis to Flava.

Parker and her legal team sued Carilion Healthcare Corp, the Carilion Clinic, and both Carillion employees over the impermissible disclosure of her health information. In Parker’s complaint it was alleged that Carillion was directly and vicariously liable for the breach – Directly for the failure to secure her medical records and vicariously liable under respondeat superior principles. Parker also claimed that the breach amounted to negligence and a violation of HIPAA Rules for failing to ensure the confidentiality of her medical record. Parker also claimed the HIPAA violation constituted also constituted a violation of Virginia law.

Carillion argued that the employees had acted outside the scope of their employment, which precluded the respondeat superior claim, and contested the legal viability of the HIPAA violation claim. The Virginia circuit court sustained the demurrers and Parker was granted 21 days to submit an amended complaint. That did not happen, although a notice of appeal was submitted within the legal time frame on December 2, 2016.

The lawsuit has now been partially resurrected by the Virginia Supreme Court. The decision on the claim of direct liability has not been reversed, but the circuit court’s decision on the respondeat superior claim of vicarious liability has.

“Because none of these factual contests can be addressed at the pleading stage of this case, we reverse the circuit court’s order sustaining Carilion’s demurrer,” wrote Justice D. Arthur Kelsey in his opinion. Further consideration is needed on the circumstances that led to the accessing of Parker’s medical records by the employees, the reason why that information was shared, and whether the employees were actively involved in a job-related service at the time of the violation.

The post Virginia Superior Court Partially Reverses Lower Court Decision in Employee Snooping Case appeared first on HIPAA Journal.

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

Posted by HIPAA Journal

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.

Protected Health Information of 1,654 Patients Was Accessible Through Search Engines

Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.

In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.

In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.

While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.

New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

HIPAA-Related Fines and Settlements with Attorneys General in 2018

While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.

State Covered Entity Amount Individuals affected Settlement/CMP
New Jersey Best Transcription Medical $200,000 1,650 Settlement
Washington Aetna TBA 13,160 Settlement (Multi-state action)
Connecticut Aetna $99,959 13,160 Settlement (Multi-state action)
New Jersey Aetna $365,211.59 13,160 Settlement (Multi-state action)
District of Columbia Aetna $175,000 13,160 Settlement (Multi-state action)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement
New York Arc of Erie County $200,000 3,751 Settlement
New Jersey Virtua Medical Group $417,816 1,654 Settlement
New York EmblemHealth $575,000 81,122 Settlement
New York Aetna $1,150,000 12,000 Settlement

The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

Posted by HIPAA Journal

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals.

Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation.

The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.

Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted cyberattack conducted with the sole purpose of silently stealing sensitive data.

The attackers first gained access to its IT systems on December 2, 2014, with access continuing until January 27, 2015. During that time the attackers stole the data of 78.8 million plan members, including names, addresses, dates of birth, medical identification numbers, employment information, email addresses, and Social Security numbers.

The attackers gained a foothold in its network through spear phishing emails sent to one of its subsidiaries. They were then able to move laterally through its network to gain access to plan members’ data.

Anthem reported the data breach to OCR on March 13, 2015; however, by that time OCR was already a month into a compliance review of Anthem Inc. OCR took prompt action after Anthem uploaded a breach notice to its website and media reports started to appear indicating the colossal scale of the breach.

The OCR investigation uncovered multiple potential violations of HIPAA Rules. Anthem chose to settle the HIPAA violation case with no admission of liability.

OCR’s alleged HIPAA violations were:

  • 45 C.F.R. § 164.308(u)(1)(ii)(A) – A failure to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.
  • 45 C.F.R. § 164.308(a)(1)(ii)(D) – The failure to implement regularly review records of information system activity.
  • 45 C.F.R. § 164.308 (a)(6)(ii) – Failures relating to the requirement to identify and respond to detections of a security incident leading to a breach.
  • 45 C.F.R. § 164.312(a) – The failure to implement sufficient technical policies and procedures for electronic information systems that maintain ePHI and to only allow authorized persons/software programs to access that ePHI.
  • 45 C.F.R. § 164.502(a) – The failure to prevent the unauthorized accessing of the ePHI of 78.8 million individuals that was maintained in its data warehouse.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said Roger Severino. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

In addition to the OCR HIPAA settlement, Anthem has also paid damages to victims of the breach. Anthem chose to settle a class action lawsuit filed on behalf of 19.1 million customers whose sensitive information was stolen. Anthem agreed to settle the lawsuit of $115 million.

2018 OCR HIPAA Settlements and Civil Monetary Penalties

Given the size of the Anthem HIPAA settlement it is no surprise that 2018 has seen OCR smash its previous record for financial penalties for HIPAA violations. The latest settlement takes OCR HIPAA penalties past the $100 million mark.

There have not been as many HIPAA penalties in 2018 than 2016(13), although this year has seen $1.4 million more raised in penalties than the previous record year and there are still 10 weeks left of 2018. The total is likely to rise further still.

OCR Financial Penalties for HIPAA Violations (2008-2018)

Year Settlements and CMPs Total Fines
2018 1 $24,947,000
2017 1 $19,393,000
2016 2 $23,505,300
2015 3 $6,193,400
2014 5 $7,940,220
2013 5 $3,740,780
2012 6 $4,850,000
2011 6 $6,165,500
2010 13 $1,035,000
2009 10 $2,250,000
2008 7 $100,000
Total 59 $100,120,200

 

HIPAA Fines and CMPs

Largest Ever Penalties for HIPAA Violations

Year Covered Entity Amount Settlement/CMP
2018 Anthem Inc $16,000,000 Settlement
2016 Advocate Health Care Network $5,550,000 Settlement
2017 Memorial Healthcare System $5,500,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2018 University of Texas MD Anderson Cancer Center $4,34,8000 Civil Monetary Penalty
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty

The post $16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark appeared first on HIPAA Journal.

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

Posted by HIPAA Journal

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss.

The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco.

In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information.

A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities.

It was alleged that the failure to ensure its system was secure meant that any information entered in the portal by patients was at risk of exposure and could potentially be obtained by unauthorized individuals. In November 2016, four months after the system went live, A.J. Boggs & Company took the system offline to correct the flaws.

However, in February 2017, the California Department of Health discovered that the flaws in its portal had been exploited and unauthorized individuals had gained access to the system and had downloaded the private and highly sensitive information of 93 patients with HIV or AIDS. Following the discovery, the contract with the firm was cancelled and a new state-run system was adopted.

The ADAP program provides states with federal funding to provide financial assistance to low-income individuals with HIV or AIDS to make HIV medications more affordable, extending access to Medicaid when patients earned too much. Any medical data breach is serious, although the disclosure of an individual’s HIV status is especially so.

“HIV is still a highly stigmatized medical condition,” said Scott Schoettes, HIV Project Director at Lambda Legal. “When members of already vulnerable communities — transgender people, women, people of color, undocumented people, individuals with low incomes — already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”

Lambda Legal is seeking statutory and compensatory damages for the patient and is seeking class action status to allow the other 92 breach victims to be included in the lawsuit.

The post California HIV Patient PHI Breach Lawsuit Allowed to Move Forward appeared first on HIPAA Journal.

Massachusetts Gynecologist Spared Jail Time for Criminal HIPAA Violation

Posted by HIPAA Journal

In April 2018, the former Massachusetts-based gynecologist Rita Luthra, 65, of Longmeadow, was convicted of criminally violating the HIPAA Privacy Rule and obstructing a federal investigation into a nationwide kickback scheme. At her sentencing on September 19, 2018, Luthra was spared jail time and a fine and was given one year of probation.

Luthra was accused of being paid $23,500 to prescribe Warner Chilcott’s osteoporosis drugs, although Luthra maintained she had been paid the money as ‘speaker fees’ for speaking at medical educational events, which took place in her office, and for writing a research paper, although that paper was never finished. The jury found that Luthra lied to federal agents about money she had received from the pharmaceutical firm.

Luthra also denied providing a pharmaceutical sales representative with access to patient health information in order to complete pre-authorization forms for insurance companies that were refusing to approve prescriptions for two osteoporosis drugs that Warner Chilcott was pushing. She also allegedly instructed her assistant to lie to federal investigators and back up her story. The jury also found that Luthra had violated the HIPAA Privacy Rule.

After Luthra was arrested she lost her license to practice and also faced up to six years in jail with one year of supervised release and a maximum fine of $300,000 – $50,000 for the HIPAA violation and $250,000 for obstruction. However, U.S. District Judge Mark G. Mastroianni opted for leniency and sentenced Luthra to just one year of probation. Prosecutors were pushing for Luthra to receive a jail term of two and a half years and pay a financial penalty of $40,000. Judge Mastroianni also rejected the defense’s argument that she should be given community service.

Luthra’s lawyer, Stephen Spelman, said “Dr. Rita Luthra dedicates herself to serving others, and spends her professional lifetime treating women and girls from the disadvantaged communities in Western Massachusetts, never caring whether her patients could pay.”

Spelman also explained in a presentencing memo that Luthra “Suffered repeated beatings by her husband, who on multiple occasions tried to amputate her fingers with knives – because she was a surgeon. After one particularly vicious assault, she left the marriage, fleeing her marital home on a snowy night with literally nothing but the clothes on her back.”

It was Luthra’s work with disadvantaged women and girls in the impoverished areas of Springfield that prompted Judge Mastroianni to reject the prosecutors’ recommendation of a fine and to spare Luthra jail time. Prosecutors were pushing for jail time and a fine to serve as a deterrent, although Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

The post Massachusetts Gynecologist Spared Jail Time for Criminal HIPAA Violation appeared first on HIPAA Journal.

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Posted by HIPAA Journal

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules.

This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients.

Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital

Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a).

Brigham and Women’s Hospital (BWH) settled its HIPAA violations with OCR for $384,000. BWH allowed an ABC film crew to record footage between October 2014 and January 2015. Prior to filming, BWH conducted a review of patient privacy issues and provided the ABC film crew with HIPAA privacy training – The same training that was provided to its workforce. BWH also obtained written authorizations from patients. However, OCR determined that despite those measures, HIPAA Rules were still violated. In the resolution agreement, OCR wrote, “Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees,” in violation of 45 C.F.R. § I64.502(a). BWH also failed to reasonably safeguard the PHI of patients: A violation of 45 C.F.R. § 164.530(c).

Massachusetts General Hospital (MGH) settled its HIPAA violations with OCR for $515,000. The hospital similarly allowed a film crew to record footage between October 2014 and January 2015. A review of patient privacy issues was also conducted, and the film crew was provided with the same HIPAA privacy training that MGH provides to its employees.

As was the case with BWH, OCR determined that 45 C.F.R. § I64.502(a) was violated as authorizations were received after an impermissible disclosure and MGH failed to appropriately and reasonably safeguard patients’ PHI from disclosure during the filming of the series in violation of 45 C.F.R. § 164.530(c).

In addition to covering the financial penalty, each of the three hospitals must adopt a corrective action plan which includes providing further training to staff on the allowable uses and disclosures of PHI to film and media.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

HIPAA Enforcement in 2018

OCR had a record year for HIPAA penalties in 2016 when it agreed 12 settlements to resolve HIPAA violations and issued one civil monetary penalty. 2017 saw 9 settlements reached with HIPAA-covered entities and one civil monetary penalty issued.

2018 has seen a reduction in financial penalties for HIPAA violations, with only three penalties issued prior the September 20, 2018 announcement. These latest three settlements bring the total number of OCR HIPAA violation penalties for the year up to six.

HIPAA Penalties and Settlements Agreed with OCR in 2018

Entity Penalty Penalty Type Reason for Penalty
Boston Medical Center $100,000 Settlement Filming patients without consent
Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
Massachusetts General Hospital $515,000 Settlement Filming patients without consent
University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Lack of encryption and impermissible disclosure of ePHI
Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
Fresenius Medical Care North America $3,500,000 Settlement Multiple HIPAA Violations

 

HIPAA Settlements with State Attorneys General in 2018

In addition to the penalties issued by OCR, there have been four settlements reached between HIPAA covered entities and state attorneys general in 2018.

State Covered Entity Amount Reason for Penalty
New York Arc of Erie County $200,000 Online Exposure of PHI
New Jersey Virtua Medical Group $417,816 Online Exposure of PHI
New York EmblemHealth $575,000 Exposure of PHI in Mailing
New York Aetna $1,150,000 Exposure of PHI in Mailing

The post $999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.