Legal News

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

Posted by HIPAA Journal

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Posted by HIPAA Journal

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family.

The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died.

Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother.

The Russells had taken care of their adopted son Keon since he was two weeks old and finalized the adoption in July 2015. Under the terms of the adoption, the birth mother terminated all of her parental rights. Even so, an employee at the hospital contacted the birth mother to alert her to the death of her son.

In the lawsuit the Russells claim that as a result of the impermissible disclosure of their son’s health information they have experienced “extreme emotional distress” from having to deal with the birth mother. The couple are seeking $150,000 in damages.

The call to the birth mother was made by an employee of the hospital, although according to the lawsuit that was not the only privacy violation and HIPAA violation that occurred. The lawsuit alleges multiple hospital workers accessed Keon’s medical records without authorization including workers in the hospital cafeteria.

One worker in the food service section had been legitimately been given access to the hospital’s EHR system. Access was required to check dietary requirements of patients and room numbers. It is alleged that that worker had been instructed to write down her login credentials on a sticky note and post them on a computer to allow others to be able to access the EHR system. Those credentials were allegedly used by other food service workers to access the child’s records, including labor and delivery department records.

An examination of the access logs showed that Keon’s medical records were accessed multiple times on the day of admission to the hospital using the food service worker’s credentials, even though the worker wasn’t on duty that day.

If the allegations are true, there have been multiple HIPAA violations, which have undoubtedly caused emotional distress for the parents; however, there is no private cause of action in HIPAA. It is not possible for an individual to sue a hospital for a HIPAA violation. Only state attorneys general and the Department of Health and Human Services’ Office for Civil Rights are permitted to bring legal action against healthcare organizations for HIPAA violations under federal law.

Instead, the lawsuit alleges the hospital was negligent for failing to protect Keon Russell’s medical records and meet HIPAA requirements and its own internal policies. It has also been alleged that Oklahoma’s medical records statutes were also been violated. A jury trial is expected to commence in January 2019.

The post Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure appeared first on HIPAA Journal.

Court Approves Anthem $115 Million Data Breach Settlement

Posted by HIPAA Journal

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16.

The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside.

While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers.

Following the data breach, Anthem offered breach victims 24 months of credit monitoring services without charge; however, many class members personally paid for credit monitoring and identity theft protection services and incurred other out-of-pocket expenses as a result of the breach. “The settlement provides the class with a timely, certain, and meaningful recovery,” said Judge Koh. If the settlement was rejected, not only would the litigation come at a considerable cost, there would be no guarantee that the litigation would succeed. If it did, it would still result in substantial delays in any payment being made to the class members to cover costs associated with the breach.

Some of the class members believe the settlement is insufficient and that it has not sufficiently punished Anthem, although U.S. District Judge Lucy H. Koh believes the settlement is “fair, reasonable, and adequate”. While several objections were received, Judge Koh determined that none of them were valid.

Under the settlement, Anthem has paid for two years of credit monitoring services. This is in addition to the credit monitoring services previously offered by Anthem. Class members who do not have credit monitoring services in place will be able to sign up by submitting a straightforward form. Class members who have already signed up for credit monitoring services can claim a cash payment as an alternative, provided they provide proof of their current credit monitoring services. The fund is sufficient to allow each class member who has submitted a claim to receive a maximum payment of $50 as a cash alternative.

The settlement also includes a fund of $15 million for individuals who have already incurred out-of-pocket expenses as a result of the data breach. So far, only around 1.33 million individuals have submitted a claim. The settlement allows claims of up to $10,000 per individual to reimburse out of pocket expenses.

Anthem has also agreed to implement additional security controls to ensure sensitive information is better protected in the future, including the use of encryption for data at rest and enhancements to its data security procedures.

The post Court Approves Anthem $115 Million Data Breach Settlement appeared first on HIPAA Journal.

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

Posted by HIPAA Journal

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston.

Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve.

Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014.

Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were prevented from being available for legitimate communications. The attack affected the hospitals’ ability to communicate, use the internet, and even provide care to certain patients.

The attack disrupted operations at Boston Children’s Hospital for two weeks and cost an estimated $300,000. A further $300,000 was lost donations as its fundraising portal was also taken offline as a result of the attack.

Gottesfeld claimed he conducted the DDoS attacks on behalf of the hacktivist group Anonymous in response to the way the hospital had behaved over a child custody case.

The custody case in question received national media attention and resulted in the parents of Connecticut teenager Justina Pelletier losing custody of their daughter. Children’s Mercy Hospital alleged Justina’s parents were medically abusing their daughter and custody was passed over to the commonwealth of Massachusetts.

Justina was receiving treatment for mitochondrial disease at Boston’s New England Medical Center but was transferred to Children’s Mercy Hospital where she was diagnosed as having somatoform disorder. Justina’s parents disagreed with the diagnosis and attempted to get their daughter discharged. The hospital refused, and in the subsequent legal battle, Justina’s parents lost custody of their child.

Gottesfeld was suspected of conducting the DDoS attacks and his home was searched by federal law enforcement officers in October 2014. Several servers, computers and hard drives were seized although Gottesfeld was not officially charged at the time.

Gottesfeld went missing in February 2016 but was found after getting into difficulty when sailing in a small boat. He was rescued off the coast of Cuba by a passing cruise ship and was arrested when the cruise ship docked in Miami. The FBI claimed Gottesfeld was attempting to flee the United States.

Gottesfeld will be sentenced on Nov. 14, 2018 and potentially faces a fine of up to $500,000, plus restitution, and up to 15 years in jail – A maximum of 5 years for the conspiracy charge and up to 10 years for the criminal damage charge, with a further 3 years of supervised release.

The post Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

Posted by HIPAA Journal

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

Posted by HIPAA Journal

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Posted by HIPAA Journal

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information.

In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January.

The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent article in the Kansas City Star, some patients have only just been notified that their PHI was stolen.

In addition to the phishing attack, Children’s Mercy Hospital reported a further breach of 1,463 patients’ PHI to the Department of Health and Human Services’ Office for Civil Rights on June 27, 1018 – an unauthorized access disclosure incident. That incident related to the interception of unencrypted pages sent by physicians at the hospital. The pages were viewed by a radio hobbyist using an antenna and a software-defined radio (SDR) on a laptop computer. Children’s Mercy was not the only hospital affected by that incident.

An unauthorized access/disclosure incident was also reported to OCR by Children’s Mercy Hospital on May 19, 2017. That incident impacted 5,511 patients. In that case, PHI had been uploaded to a website by a physician. The website was unauthorized and lacked appropriate security controls.

Earlier this week, Kansas City law firm McShane and Brady filed a class action lawsuit over the phishing incident. In the lawsuit it is claimed that Children’s Mercy violated Missouri law and breached its fiduciary duty to patients.

“Patients trust health care providers with our medical information and when that is released without our authorization, they’re breaking our trust and breaching what we’ve asked them to do,” said Maureen Brady, partner at McShane and Brady. “When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept.”

While the lawsuit seeks damages for all patients impacted by the breach, those damages have not been stated in the lawsuit.

This is not the first time that legal action has been taken against Children’s Mercy Hospital over a privacy breach, and neither is it the first time McShane and Brady has sued the hospital. The law firm also filed a class action lawsuit over the 5,511-record breach in 2017.

There is no private cause of action in HIPAA, so it is not possible for patients to take legal action for the exposure of protected health information as a result of a HIPAA violation, although it is possible to sue healthcare providers over violations of state laws.

The post Children’s Mercy Hospital Sued for 63,000-Record Data Breach appeared first on HIPAA Journal.

Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation

Posted by HIPAA Journal

In 2016, Radnor, PA-based Main Line Health Inc., terminated an employee for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by accessing the personal records of a co-worker without authorization on two separate occasions.

In such cases, when employee or patient records are accessed without authorization, employees face disciplinary action which can include termination. Gloria Terrell was one such employee who was terminated for violating company policies and HIPAA Rules. Main Line Health fired Terrell for “co-worker snooping.”

Terrell filed an internal appeal over her termination and maintained she accessed the records of a co-worker in order to obtain a contact telephone number. Terrell said she needed to contact the co-worker to make sure a shift would be covered, and this constituted a legitimate business reason for the access as she was unable to find the phone list with employees’ contact numbers.

After firing Terrell, Main Line Health appointed a significantly younger person to fill the vacant position. Terrell took legal action against Main Line Health in September 2016 claiming age discrimination. In the lawsuit, Terrell claimed Main Line Health had experienced similar snooping incidents in the past and failed to apply the same rules for younger employees. Terrell claimed she knew of three younger co-workers who were not terminated following the discovery of HIPAA violations. However, Terrell could not substantiate those assertions and all three employees denied they had been involved in any improper accessing of patient records.

Main Line Health explained appropriate training on HIPAA Rules and company policies had been provided to staff on multiple occasions and that there were established policies related to the protection of confidential employee and patient information. Those policies clearly state disciplinary action will be taken if company policies and HIPAA Rules are violated, which may include immediate discharge from employment.

Main Line Health maintained Terrell was terminated for a legitimate, non-discriminatory reason, and since the case failed to raise a triable issue, Main Line Health was entitled to a summary judgement.

Terrell’s case (Gloria Terrell v. Main Line Health, Inc., et al – Civil action No. 17-3102) went to federal court in the Eastern District of Pennsylvania. U.S District Court Judge Richard Barclay Surrick recently granted Main Line Health’s summary judgement, ruling Terrell failed to establish a viable age discrimination claim.

“In short, other than her own subjective beliefs, Plaintiff has offered no evidence from which a reasonable factfinder could conclude that Defendant’s proffered reason for terminating her lacks credibility. She has provided no evidence to support a finding of discrimination,” wrote Judge Barclay Surrick. “Although one may have reservations about the wisdom of terminating an employee with Plaintiff’s experience and tenure for electronically accessing a phone number that had already been made available to co-workers in paper form, it is not for this Court to sit as a super-personnel department that re-examines an entity’s business decisions.”

The post Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation appeared first on HIPAA Journal.

District Court Ruling Confirms No Private Cause of Action in HIPAA

Posted by HIPAA Journal

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law.

Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed.

Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station.

Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station and took a photograph of the two computer intake stations.

On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy.

On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she proceeded to do so.

LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.

In a June 15 ruling, District Court Judge Rudolph Contreras confirmed that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.

Even if there was a private cause of action, it would be unlikely that this case would have proved successful as no harm appears to have been caused as a result of the alleged HIPAA violation.

While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state laws.

Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed, and several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.

A HIPAA violation can be reported to OCR to investigate, and action may be taken against the covered entity in question by OCR, but if the sole basis of any legal action is a violation of HIPAA Rules, the case is unlikely to be successful.

Victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.

The post District Court Ruling Confirms No Private Cause of Action in HIPAA appeared first on HIPAA Journal.