Legal News

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

Posted by HIPAA Journal

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution.

Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014.

Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information.

Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents.

On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016.

She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were notified of the risk of identity theft and fraud as a precaution.

Angela Dawn Roberts admitted stealing the protected health information of 10 patients and pleaded guilty to one count of identity theft. The plea agreement was filed in July.

The stolen information was passed to her co-defendant, Ajarhi Savimbi Roberts. Ajarhi Savimbi Roberts was charged with bank fraud in a 36-count indictment. He pleaded guilty and is scheduled to be sentenced on May 21.

The post Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft appeared first on HIPAA Journal.

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

Posted by HIPAA Journal

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients.

Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items.

Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office.

The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email.

Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per individual. Bazile along with co-defendants Joshua Hamilton and Ahmeen Evans used the credit to purchase Apple gift cards that were used by buy tablets and laptop computers totaling more than $700,000.

Bazile and Haughton had already been convicted and sentenced to lengthy jail terms for their role in the identity theft scheme. Bazile and Haughton were convicted of Grand Larceny in the Second Degree in 2015 and were sentenced to serve 3 to 9 years and 1 and 1/3 to 4 years in jail respectively. Evans was also convicted of Grand Larceny in the Second Degree and was sentenced to 5 years’ probation.

Vuong was found guilty of 189 counts against her including one count of Grand Larceny in the Second Degree, 49 counts of Grand Larceny in the Third Degree, 63 counts of Identity Theft in the First Degree, 45 counts of Grand Larceny in the Fourth Degree, 30 counts of Identity Theft in the Second Degree, and one count of Unlawful Possession of Personal Identification Information in the Second Degree.

The post 2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office appeared first on HIPAA Journal.

HHS Files Motion to Dismiss Ciox Health Lawsuit

Posted by HIPAA Journal

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing.

Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access.

Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations.

In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS explains that the claims made by Ciox Health lack standing as the rulemaking it is challenging only applies to HIPAA-covered entities. Ciox Health a business associate, not a covered entity. HHS points out Ciox Health is challenging a rule that the company is not subject to. Further, the guidance which has been challenged has no force or effect of law and as such, there is nothing for Ciox Health to challenge.

The fees that Ciox Health can charge for providing copies of medical records are not limited by HIPAA. The HIPAA Rule that the firm is challenging is concerned with the fees that covered entities can charge patients. The fees that Ciox Health charges covered entities is a matter for Ciox Health to resolve with the covered entities that it serves.

HHS explained the claims of Ciox Health lack standing and a challenge has been made against “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action,” also  CIOX Health failed to establish that it has suffered an injury as a result of the 2013 rulemaking and 2016 guidance and there are no constitutional grounds to make the claims.

“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.”

The post HHS Files Motion to Dismiss Ciox Health Lawsuit appeared first on HIPAA Journal.

Oregon Data Breach Notification and Information Security Laws Updated

Posted by HIPAA Journal

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018.

Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”

A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”

The definition of personal information has been expanded to include a first name or first initial and last name, in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State identification card number from the Department of Transportation
  • Passport number
  • Other U.S. identification numbers
  • Data from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to authenticate transactions
  • A health insurance policy number or subscriber ID number in combination with any unique identifier that can identify an individual
  • Details of mental or health conditions
  • Medical histories
  • Financial information that includes an access code or passwords that would permit an unauthorized individual to gain access to the financial account

While timely notifications were required when personal information was exposed or stolen as a result of a security breach, there is now a maximum time frame for issuing notifications. Notifications must be issued without unreasonable delay, but no later than 45 days following the discovery of a breach. Breach notifications can be delayed at the request of law enforcement if the issuing of notifications would impede an investigation.

While there is some overlap between the definition of personal information under state law and the definition of protected health information under HIPAA, HIPAA-covered entities are exempt from complying with the 45-day breach notice deadline and are deemed to be in compliance with that aspect of state law if they meet the requirements of the HIPAA Breach Notification Rule and issue notifications no later than 60 days from the discovery of a breach. All breached entities, including HIPAA covered entities, must send a copy of the consumer breach notice to the Oregon attorney general if the breach impacts more than 250 individuals.

The update also introduced the requirement that credit monitoring services and identity theft protection services cannot be conditioned on accepting any other services that require a fee to be paid, and neither should require the provision of a credit or debit card. The law does not require a breached entity to provide these services in the event of a breach of personal information.

The update to Information Security Law, O.R.S. 646A.622 requires “a person that owns, maintains or otherwise possesses,  or  has  control  over  or access  to, data that includes a  consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and security of personal information.

HIPAA-covered entities will be deemed to be in compliance with that aspect of O.R.S. 646A.622 provided they are in compliance with HIPAA 45 C.F.R. 160 and 164.

The post Oregon Data Breach Notification and Information Security Laws Updated appeared first on HIPAA Journal.

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Posted by HIPAA Journal

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.

The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.

Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.

Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.

The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.

When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search.  The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.

At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.

An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.

The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.

A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.

Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.

The post Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law appeared first on HIPAA Journal.

Alabama Governor Enacts Data Breach Notification Act

Posted by HIPAA Journal

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018.

The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state.

While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards.

Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of the following data elements:

  • A non-truncated Social Security or tax-identification number
  • A non-truncated driver’s license, passport, or other government identification number
  • A financial account number combined with security/access code, password, PIN or expiration date necessary to access or enter into a transaction that will “credit or debit the account”
  • An individual’s medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier
  • user name or email address combined with a password or security question/answer permitting access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive personally identifying information.

The Data Breach Notification Act requires at least one employee to be designated to coordinate data security measures. Covered entities must determine ‘reasonable security measures’ by means of a risk assessment covering internal and external threats. Appropriate safeguards must then be implemented to address identified risks and reduce them to a reasonable level. The measures introduced must be reevaluated and adjusted when circumstances change.

When personal information is no longer required, covered entities must take reasonable steps to ensure the information is permanently destroyed.

In the event of a breach of personal information, the covered entity must conduct a “good faith and prompt investigation” to determine the nature and scope of the breach, the types of sensitive personally identifying information involved, the likelihood of the information being acquired by an unauthorized individual, and whether the acquisition of sensitive personally identifying information is likely to cause substantial harm. The covered entity must also ensure measures are introduced to restore the security of its systems after a breach has occurred.

Data breach notifications must be issued to all individuals impacted by the breach “without unreasonable delay” and no later than 45 days after the discovery of a breach of sensitive personally identifying information.

The breach notice must include the date – or estimated date – of the breach, the type of information exposed or stolen, a general description of remedial measures taken by the covered entity in response to the breach, and a list of actions that individuals can take to protect themselves against identity theft and fraud. Contact information must also be suppled to allow individuals to find out more about the breach should they wish to do so.

In addition to personal notifications, the Alabama state attorney general must also be notified of a breach within 45 days if it impacts more than 1,000 individuals.

HIPAA covered entities should note that they are not deemed to be in compliance with the Alabama Data Breach Notification Act by complying with HIPAA Rules.

Any entity that violates the Alabama Data Breach Notification Act will be subject to penalties for an unlawful trade practice under the Alabama Deceptive Trade Practices Act, although a violation would not be classed as a criminal offense. The maximum civil monetary penalty is $5,000 for each day past the 45-day deadline for issuing data breach notifications. The maximum civil monetary penalty for violations of the Act is $500,000.

The post Alabama Governor Enacts Data Breach Notification Act appeared first on HIPAA Journal.

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

Posted by HIPAA Journal

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised.

Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018.

The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA.

Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the card to be used), employment ID number (with authentication information), and health information (the same definition as HIPAA 45 CFR 160.103). A notification must also be issued to the state attorney general if the breach impacts more than 250 state residents, also within 60 days of discovery of the breach.

In contrast to many states, there is a risk of harm exception in the South Dakota data breach notification law. If a breached entity “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be issued.

Delaying breach notifications could attract a fine up to $10,000 per day plus state attorneys’ fees, with a fine of $10,000 possible for each violation.

Now that the South Dakota data breach notification law has been enacted, Alabama is the only state that has not yet introduced state-level data breach notification regulations. That is likely to change soon as data breach legislation is currently under consideration by the House of Representatives following the unanimous passing of the Alabama Data Breach Notification Act of 2018 by the Alabama Senate earlier this month.

State Attorneys General Oppose Federal Data Breach Notification Regulations

Just as the patchwork of data breach notification regulations approaches completion, federal regulations are being considered that could see those state level laws rendered obsolete. A discussion draft of the Data Acquisition and Technology Accountability and Security Act was issued in February, which if signed into law, would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”

The Data Acquisition and Technology Accountability and Security Act would require security safeguards to be implemented to protect personal information stored by any entity included in the above definition. Data breach notifications would need to be issued if, following a risk assessment, the breached entity determines there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.” The notifications would need to be issued without unreasonable delay.

The discussion draft of the bill has attracted criticism from state attorneys general who have already enacted their own laws to protect residents in their respective states. A bipartisan group of 32 (20 Democrats / 12 Republicans) state attorneys general, led by Illinois attorney general Lisa Madigan, sent a joint letter to the House Financial Services Committee on March 19 opposing the Data Acquisition and Technology Accountability and Security Act.

The proposed Data Acquisition and Technology Accountability and Security Act preempts state regulations and appears to place credit reporting agencies such as Equifax outside the scope of state regulation. While the above definition of entities appears to be comprehensive, a notable exception is any entity covered by the Gramm-Leach-Bliley Act – Namely financial institutions and credit reporting agencies.

Further, the proposed bill would see protections for consumers lessened in most states, since the breach reporting requirements in the Data Acquisition and Technology Accountability and Security Act are far less stringent. Not only does the DATAS Act allow a breached entity to determine the level of risk to consumers – and whether data breach notifications are required – breached entities would have much longer to issue notifications. Those notifications could even be issued after consumers have experienced identity theft and fraud due to a breach of their personal information.

The post South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill appeared first on HIPAA Journal.

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

Posted by HIPAA Journal

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv.

The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients.

In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions.

In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications.

In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates. It is alleged the mailing resulted in the disclosure of the recipient’s HIV status.

According to Ohio Department of Health policies, information related to HIV should only be sent in non-window envelopes. The mailing would have violated those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA breach would need to be reported to the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of the breach; however, the complainant alleges no breach report was submitted to OCR and notifications were not sent to affected individuals – A further breach of HIPAA Rules.

Plaintiffs are seeking punitive and compensatory damages and coverage of their legal costs.

There have been other breaches of HIV information in recent weeks, including a mailing error by a vendor of Aetna. In that case, HIV-related information was visible through the clear plastic windows of envelopes in a mailing to 12,000 individuals. Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200 and is currently suing its mailing vendor to recover the costs. Aetna was also fined by the New York Attorney General over the breach and settled that case for $1.15 million.

The post Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.