Legal News

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

Posted by HIPAA Journal

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals.

As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018.

HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights.

Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over delayed breach notifications in the past, although no penalties have been issued when notification letters have been sent within 60 days of the discovery of a breach.

The notification letters explained to patients that some of their health information had been exposed. The substitute breach notice posted on the UnityPoint Health website in April said the types of information potentially accessed by the attackers included “patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information.”

UnityPoint Health told patients no reports had been received to suggest that their PHI had been accessed, stolen, or misused.

Patients were encouraged to “remain vigilant in reviewing your account statements for fraudulent or irregular activity”, although the burden of protecting against identity theft and fraud was passed on to patients. Affected individuals were not offered credit monitoring and identity theft protection services nor were they protected by an insurance policy covering misuse of their data.

The lawsuit was filed on May 4 by attorney Robert Teel against Iowa Health Systems Inc., the company that runs UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead plaintiff in the class action lawsuit, has accused UnityPoint Health of delaying reporting the breach to regulators and patients. She also alleges UnityPoint Health “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

Fox claims she has suffered sleep deprivation as a direct result of the breach and experiences daily anger. She also claims to have had an increase in the number of automated calls to her cellphone and landline in 2018 and an increase in marketing and other spam emails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking compensatory, punitive, and other damages.

The post Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack appeared first on HIPAA Journal.

Massachusetts Physician Convicted for Criminal HIPAA Violation

Posted by HIPAA Journal

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes.

One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation.

The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million.

Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of 10 months between January 2011 and November 2011.

The access to PHI allowed patients with certain health conditions to be targeted by the firm and facilitated the receipt of prior authorizations for Warner Chilcott pharmaceutical products. When interviewed by federal agents about her relationship with Warner Chilcott, Luthra provided false information and obstructed the investigation.

Luthra had been previously charged for receiving kickbacks from Warner Chilcott in the form of fees for speaker training and speaking at educational events that did not take place. Luthra had accepted payments of approximately $23,500. The DOJ eventually dropped the charges, although the case against the physician continued to be pursued, resulting in the two convictions.

Luthra faces jail time and a substantial fine. The maximum penalty for the HIPAA violation is a custodial sentence of no more than 1 year, one year of supervised release, and a maximum fine of $50,000. The maximum penalty for obstructing a criminal health investigation is no more than 5 years in jail, three years of supervised release, and a fine of up to $250,000.

The post Massachusetts Physician Convicted for Criminal HIPAA Violation appeared first on HIPAA Journal.

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

Posted by HIPAA Journal

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution.

Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014.

Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information.

Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents.

On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016.

She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were notified of the risk of identity theft and fraud as a precaution.

Angela Dawn Roberts admitted stealing the protected health information of 10 patients and pleaded guilty to one count of identity theft. The plea agreement was filed in July.

The stolen information was passed to her co-defendant, Ajarhi Savimbi Roberts. Ajarhi Savimbi Roberts was charged with bank fraud in a 36-count indictment. He pleaded guilty and is scheduled to be sentenced on May 21.

The post Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft appeared first on HIPAA Journal.

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

Posted by HIPAA Journal

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients.

Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items.

Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office.

The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email.

Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per individual. Bazile along with co-defendants Joshua Hamilton and Ahmeen Evans used the credit to purchase Apple gift cards that were used by buy tablets and laptop computers totaling more than $700,000.

Bazile and Haughton had already been convicted and sentenced to lengthy jail terms for their role in the identity theft scheme. Bazile and Haughton were convicted of Grand Larceny in the Second Degree in 2015 and were sentenced to serve 3 to 9 years and 1 and 1/3 to 4 years in jail respectively. Evans was also convicted of Grand Larceny in the Second Degree and was sentenced to 5 years’ probation.

Vuong was found guilty of 189 counts against her including one count of Grand Larceny in the Second Degree, 49 counts of Grand Larceny in the Third Degree, 63 counts of Identity Theft in the First Degree, 45 counts of Grand Larceny in the Fourth Degree, 30 counts of Identity Theft in the Second Degree, and one count of Unlawful Possession of Personal Identification Information in the Second Degree.

The post 2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office appeared first on HIPAA Journal.

HHS Files Motion to Dismiss Ciox Health Lawsuit

Posted by HIPAA Journal

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing.

Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access.

Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations.

In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS explains that the claims made by Ciox Health lack standing as the rulemaking it is challenging only applies to HIPAA-covered entities. Ciox Health a business associate, not a covered entity. HHS points out Ciox Health is challenging a rule that the company is not subject to. Further, the guidance which has been challenged has no force or effect of law and as such, there is nothing for Ciox Health to challenge.

The fees that Ciox Health can charge for providing copies of medical records are not limited by HIPAA. The HIPAA Rule that the firm is challenging is concerned with the fees that covered entities can charge patients. The fees that Ciox Health charges covered entities is a matter for Ciox Health to resolve with the covered entities that it serves.

HHS explained the claims of Ciox Health lack standing and a challenge has been made against “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action,” also  CIOX Health failed to establish that it has suffered an injury as a result of the 2013 rulemaking and 2016 guidance and there are no constitutional grounds to make the claims.

“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.”

The post HHS Files Motion to Dismiss Ciox Health Lawsuit appeared first on HIPAA Journal.

Oregon Data Breach Notification and Information Security Laws Updated

Posted by HIPAA Journal

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018.

Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”

A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”

The definition of personal information has been expanded to include a first name or first initial and last name, in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State identification card number from the Department of Transportation
  • Passport number
  • Other U.S. identification numbers
  • Data from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to authenticate transactions
  • A health insurance policy number or subscriber ID number in combination with any unique identifier that can identify an individual
  • Details of mental or health conditions
  • Medical histories
  • Financial information that includes an access code or passwords that would permit an unauthorized individual to gain access to the financial account

While timely notifications were required when personal information was exposed or stolen as a result of a security breach, there is now a maximum time frame for issuing notifications. Notifications must be issued without unreasonable delay, but no later than 45 days following the discovery of a breach. Breach notifications can be delayed at the request of law enforcement if the issuing of notifications would impede an investigation.

While there is some overlap between the definition of personal information under state law and the definition of protected health information under HIPAA, HIPAA-covered entities are exempt from complying with the 45-day breach notice deadline and are deemed to be in compliance with that aspect of state law if they meet the requirements of the HIPAA Breach Notification Rule and issue notifications no later than 60 days from the discovery of a breach. All breached entities, including HIPAA covered entities, must send a copy of the consumer breach notice to the Oregon attorney general if the breach impacts more than 250 individuals.

The update also introduced the requirement that credit monitoring services and identity theft protection services cannot be conditioned on accepting any other services that require a fee to be paid, and neither should require the provision of a credit or debit card. The law does not require a breached entity to provide these services in the event of a breach of personal information.

The update to Information Security Law, O.R.S. 646A.622 requires “a person that owns, maintains or otherwise possesses,  or  has  control  over  or access  to, data that includes a  consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and security of personal information.

HIPAA-covered entities will be deemed to be in compliance with that aspect of O.R.S. 646A.622 provided they are in compliance with HIPAA 45 C.F.R. 160 and 164.

The post Oregon Data Breach Notification and Information Security Laws Updated appeared first on HIPAA Journal.

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Posted by HIPAA Journal

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.

The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.

Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.

Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.

The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.

When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search.  The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.

At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.

An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.

The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.

A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.

Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.

The post Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law appeared first on HIPAA Journal.

Alabama Governor Enacts Data Breach Notification Act

Posted by HIPAA Journal

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018.

The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state.

While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards.

Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of the following data elements:

  • A non-truncated Social Security or tax-identification number
  • A non-truncated driver’s license, passport, or other government identification number
  • A financial account number combined with security/access code, password, PIN or expiration date necessary to access or enter into a transaction that will “credit or debit the account”
  • An individual’s medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier
  • user name or email address combined with a password or security question/answer permitting access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive personally identifying information.

The Data Breach Notification Act requires at least one employee to be designated to coordinate data security measures. Covered entities must determine ‘reasonable security measures’ by means of a risk assessment covering internal and external threats. Appropriate safeguards must then be implemented to address identified risks and reduce them to a reasonable level. The measures introduced must be reevaluated and adjusted when circumstances change.

When personal information is no longer required, covered entities must take reasonable steps to ensure the information is permanently destroyed.

In the event of a breach of personal information, the covered entity must conduct a “good faith and prompt investigation” to determine the nature and scope of the breach, the types of sensitive personally identifying information involved, the likelihood of the information being acquired by an unauthorized individual, and whether the acquisition of sensitive personally identifying information is likely to cause substantial harm. The covered entity must also ensure measures are introduced to restore the security of its systems after a breach has occurred.

Data breach notifications must be issued to all individuals impacted by the breach “without unreasonable delay” and no later than 45 days after the discovery of a breach of sensitive personally identifying information.

The breach notice must include the date – or estimated date – of the breach, the type of information exposed or stolen, a general description of remedial measures taken by the covered entity in response to the breach, and a list of actions that individuals can take to protect themselves against identity theft and fraud. Contact information must also be suppled to allow individuals to find out more about the breach should they wish to do so.

In addition to personal notifications, the Alabama state attorney general must also be notified of a breach within 45 days if it impacts more than 1,000 individuals.

HIPAA covered entities should note that they are not deemed to be in compliance with the Alabama Data Breach Notification Act by complying with HIPAA Rules.

Any entity that violates the Alabama Data Breach Notification Act will be subject to penalties for an unlawful trade practice under the Alabama Deceptive Trade Practices Act, although a violation would not be classed as a criminal offense. The maximum civil monetary penalty is $5,000 for each day past the 45-day deadline for issuing data breach notifications. The maximum civil monetary penalty for violations of the Act is $500,000.

The post Alabama Governor Enacts Data Breach Notification Act appeared first on HIPAA Journal.

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

Posted by HIPAA Journal

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised.

Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018.

The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA.

Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the card to be used), employment ID number (with authentication information), and health information (the same definition as HIPAA 45 CFR 160.103). A notification must also be issued to the state attorney general if the breach impacts more than 250 state residents, also within 60 days of discovery of the breach.

In contrast to many states, there is a risk of harm exception in the South Dakota data breach notification law. If a breached entity “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be issued.

Delaying breach notifications could attract a fine up to $10,000 per day plus state attorneys’ fees, with a fine of $10,000 possible for each violation.

Now that the South Dakota data breach notification law has been enacted, Alabama is the only state that has not yet introduced state-level data breach notification regulations. That is likely to change soon as data breach legislation is currently under consideration by the House of Representatives following the unanimous passing of the Alabama Data Breach Notification Act of 2018 by the Alabama Senate earlier this month.

State Attorneys General Oppose Federal Data Breach Notification Regulations

Just as the patchwork of data breach notification regulations approaches completion, federal regulations are being considered that could see those state level laws rendered obsolete. A discussion draft of the Data Acquisition and Technology Accountability and Security Act was issued in February, which if signed into law, would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”

The Data Acquisition and Technology Accountability and Security Act would require security safeguards to be implemented to protect personal information stored by any entity included in the above definition. Data breach notifications would need to be issued if, following a risk assessment, the breached entity determines there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.” The notifications would need to be issued without unreasonable delay.

The discussion draft of the bill has attracted criticism from state attorneys general who have already enacted their own laws to protect residents in their respective states. A bipartisan group of 32 (20 Democrats / 12 Republicans) state attorneys general, led by Illinois attorney general Lisa Madigan, sent a joint letter to the House Financial Services Committee on March 19 opposing the Data Acquisition and Technology Accountability and Security Act.

The proposed Data Acquisition and Technology Accountability and Security Act preempts state regulations and appears to place credit reporting agencies such as Equifax outside the scope of state regulation. While the above definition of entities appears to be comprehensive, a notable exception is any entity covered by the Gramm-Leach-Bliley Act – Namely financial institutions and credit reporting agencies.

Further, the proposed bill would see protections for consumers lessened in most states, since the breach reporting requirements in the Data Acquisition and Technology Accountability and Security Act are far less stringent. Not only does the DATAS Act allow a breached entity to determine the level of risk to consumers – and whether data breach notifications are required – breached entities would have much longer to issue notifications. Those notifications could even be issued after consumers have experienced identity theft and fraud due to a breach of their personal information.

The post South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill appeared first on HIPAA Journal.