Legal News

First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach

Posted by Steve Alder

Lawsuits against HCA Healthcare were an inevitability following a data breach that affected approximately 11 million individuals and saw the stolen data listed for sale on a dark web forum. The breach was announced by HCA Healthcare on July 10, 2023, and while the total number of affected individuals affected has yet to be confirmed, 27 million lines of data were compromised, which equates to around 11 million individuals.

Since the investigation is still in the early stages, little information has been released so far about the nature of the cyberattack, other than an unauthorized individual gaining access to an external storage location used for formatting emails. HCA Healthcare said highly sensitive information such as Social Security numbers, financial information, and clinical information does not appear to have been compromised, only information such as names, dates of birth, email addresses, phone numbers, and next appointment dates.

The first lawsuit in relation to the breach was filed in the Tennessee Middle District Court on Wednesday by the law firms Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert, naming Gary Silvers and Richard Marous as plaintiffs. The lawsuit, Silvers et al v. HCA Healthcare, Inc., alleges a failure to comply with the HIPAA Rules and FTC guidelines, and HCA Healthcare was negligent by failing to safeguard the personal and protected health information of patients. As a result of that negligence, patient data is now in the hands of cybercriminals and the plaintiffs and class members are likely to have their sensitive data misused in a variety of fraudulent ways and face a lifetime risk of identity theft and fraud.

This lawsuit claims injuries have been suffered in a number of ways, including the lost or diminished value of private information, costs associated with the prevention, detection, and recovery from identity theft and fraud, lost opportunity costs to mitigate the data breach’s consequences and lost time, and emotional distress from the loss and control of “highly sensitive private information.”

The lawsuit seeks monetary damages, legal fees, a jury trial, and injunctive relief, requiring HCA Healthcare to implement a variety of safeguards to better protect patient data. The injunctive relief requested includes data protection through encryption, the deletion of private information unless there is a legitimate reason for retaining that information, prohibiting the storage of data in a cloud-based database, independent third-party security audits, data segmentation, the implementation and maintenance of threat management and monitoring programs, and audits, tests, and training of security personnel.

Lawsuits are commonly filed following healthcare data breaches and a breach of this magnitude is likely to trigger many more lawsuits over the coming days and weeks; however, while legal action can be taken, there is no guarantee of success. Healthcare data breach lawsuits often hinge on whether there has been a concrete injury that more than likely was caused by a specific data breach. Lawsuits that only allege a risk of identity theft and fraud are unlikely to be granted standing.

The post First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach appeared first on HIPAA Journal.

Johns Hopkins Facing Multiple Lawsuits Over MOVEit Data Breach

Posted by Steve Alder

Two lawsuits have recently been filed in the U.S. District Court for the District of Maryland against Johns Hopkins University and Johns Hopkins Health System that allege a failure to properly secure and safeguard the protected health information of patients, resulting in the theft of their data by the Clop ransomware group.

In May 2023, the Clop ransomware group targeted a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The attacks occurred in late May and affected more than 150 organizations, resulting in the theft of the personal and protected health information of millions of individuals. Johns Hopkins has yet to confirm how many staff members, students, and patients were affected as the investigation into the incident has not yet concluded but has said names, addresses, dates of birth, and Social Security numbers were stolen in the attack.

The two lawsuits make similar claims and allege a failure to implement appropriate security safeguards to protect personally identifiable information (PII) and protected health information (PHI).  One of the lawsuits, filed on July 7 naming Pamela Hunter as plaintiff, claims the attackers stole the sensitive data of tens and possibly hundreds of thousands of individuals as a result of the defendants “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members’ PHI/PII was safeguarded,” and “failing to follow applicable, required and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use.”

The lawsuit also alleges the defendants did not meet their obligations under the HIPAA Privacy and Security Rules regarding the safeguarding of protected health information, and the HIPAA Breach Notification Rule by unnecessarily delaying breach notifications. The lawsuit alleges negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment. A second lawsuit was filed on July 10 naming Maria Gregory and Ayomiposi Asaolu as plaintiffs that makes similar claims about the failure to protect PII/PHI. The lawsuit alleges negligence, negligence per se, breach of fiduciary duty, breach of confidence, intrusion upon seclusion/invasion of privacy, breach of implied contract, and unjust enrichment.

Both lawsuits allege the plaintiffs and class members have been harmed as a result of the data breach and claim an injury has been suffered in the form of lost time and money protecting against identity theft and fraud, diminution of the value of their PHI/PII, anxiety over the impact of the data breach, and an imminent and substantial risk of identity theft and fraud due to the theft of their sensitive data. The lawsuits seek damages and injunctive relief and suggest a list of measures that should be implemented to prevent similar data breaches in the future.

The lawsuits are likely to hinge on whether the plaintiffs are determined to have suffered a concrete injury as a result of the data breach, and whether any such injury can be attributed to this specific data breach. Pamela Hunter and the class are represented by Courtney L. Weiner and Laukaitis Law LLC, and Maria Gregory and Ayomiposi Asaolu and the class are represented by Tycko & Zavareei LLP and Edelson Lechtzin LLP.

The post Johns Hopkins Facing Multiple Lawsuits Over MOVEit Data Breach appeared first on HIPAA Journal.

Comprehensive Data Privacy Law Passed by the Delaware Legislature

Posted by Steve Alder

A comprehensive new data privacy law has been passed by the Delaware legislature and now awaits Delaware Governor John Charles Carney Jr.’s signature. Governor Carney is expected to sign the Personal Data Privacy Act into law and make Delaware the 12th state to introduce a comprehensive data privacy law.

In contrast to the data privacy laws introduced in several other states, the Delaware Personal Data Privacy Act does not include exceptions for HIPAA-covered entities and their business associates, although the Act does have an information-level exception and does not apply to protected health information. HIPAA-regulated entities will need to ensure that they are fully compliant with the new law, although many of the requirements should not prove too challenging for organizations that are fully compliant with the HIPAA Privacy and Security Rules.

The Personal Data Privacy Act gives state residents new rights over their personal data and allows them to find out about the information that is being collected about them, inspect that information, correct errors, and request the deletion of their personal data and consumers must not be discriminated against for exercising any of those rights. The Personal Data Privacy Act adopts a broad definition of personal and sensitive data. Personal data includes any data “that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.”

Sensitive personal data includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary individual, citizenship status, or immigration status. Sensitive data also covers genetic/biometric data, precise geolocation data, and the personal data of a known child and cannot be processed without consent. Consumers must be informed in a clear and concise way, through a privacy notice, how their personal data will be collected and used, what data will be shared with third parties, and the categories of third parties that will be provided with personal data. Consumers must also be provided with an opportunity to opt out of the sale of their personal data or its use to serve them with targeted advertisements. Any data collected must be limited to what is reasonably necessary to achieve the purpose for which the data is processed, and the data must be protected with reasonable security measures to ensure the confidentiality, integrity, and accessibility of personal data.

The Act adopts the same definition of a child as the Children’s Online Privacy Protection Act (COPPA) and has the same requirements for parental consent as COPAA with respect to a consumer that is a child. Data controllers are prohibited from serving targeted advertisements or selling the personal data of a consumer who is between the ages of 13 and 18 without consent, where the controller has knowledge that the consumer is between 13 and 18 years of age.

The Act applies to corporations that operate in Delaware that control or process the personal data of 35,000 or more consumers, or more than 10,000 consumers if more than 20% of gross revenue comes from the sale of personal data. The thresholds are considerably lower than in many other states that have enacted data privacy laws.

The new law is expected to take effect on January 1, 2025, assuming the bill is signed into law by the state governor before January 1, 2024, and will be solely enforced by the Delaware Department of Justice. The Department of Justice will engage in public outreach at least 6 months prior to the effective date to raise awareness of the new requirements with consumers and the business community.

The post Comprehensive Data Privacy Law Passed by the Delaware Legislature appeared first on HIPAA Journal.

Comprehensive Data Privacy Law Passed by the Delaware Legislature

Posted by Steve Alder

A comprehensive new data privacy law has been passed by the Delaware legislature and now awaits Delaware Governor John Charles Carney Jr.’s signature. Governor Carney is expected to sign the Personal Data Privacy Act into law and make Delaware the 12th state to introduce a comprehensive data privacy law.

In contrast to the data privacy laws introduced in several other states, the Delaware Personal Data Privacy Act does not include exceptions for HIPAA-covered entities and their business associates, although the Act does have an information-level exception and does not apply to protected health information. HIPAA-regulated entities will need to ensure that they are fully compliant with the new law, although many of the requirements should not prove too challenging for organizations that are fully compliant with the HIPAA Privacy and Security Rules.

The Personal Data Privacy Act gives state residents new rights over their personal data and allows them to find out about the information that is being collected about them, inspect that information, correct errors, and request the deletion of their personal data and consumers must not be discriminated against for exercising any of those rights. The Personal Data Privacy Act adopts a broad definition of personal and sensitive data. Personal data includes any data “that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.”

Sensitive personal data includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary individual, citizenship status, or immigration status. Sensitive data also covers genetic/biometric data, precise geolocation data, and the personal data of a known child and cannot be processed without consent. Consumers must be informed in a clear and concise way, through a privacy notice, how their personal data will be collected and used, what data will be shared with third parties, and the categories of third parties that will be provided with personal data. Consumers must also be provided with an opportunity to opt out of the sale of their personal data or its use to serve them with targeted advertisements. Any data collected must be limited to what is reasonably necessary to achieve the purpose for which the data is processed, and the data must be protected with reasonable security measures to ensure the confidentiality, integrity, and accessibility of personal data.

The Act adopts the same definition of a child as the Children’s Online Privacy Protection Act (COPPA) and has the same requirements for parental consent as COPAA with respect to a consumer that is a child. Data controllers are prohibited from serving targeted advertisements or selling the personal data of a consumer who is between the ages of 13 and 18 without consent, where the controller has knowledge that the consumer is between 13 and 18 years of age.

The Act applies to corporations that operate in Delaware that control or process the personal data of 35,000 or more consumers, or more than 10,000 consumers if more than 20% of gross revenue comes from the sale of personal data. The thresholds are considerably lower than in many other states that have enacted data privacy laws.

The new law is expected to take effect on January 1, 2025, assuming the bill is signed into law by the state governor before January 1, 2024, and will be solely enforced by the Delaware Department of Justice. The Department of Justice will engage in public outreach at least 6 months prior to the effective date to raise awareness of the new requirements with consumers and the business community.

The post Comprehensive Data Privacy Law Passed by the Delaware Legislature appeared first on HIPAA Journal.

$6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit

Posted by Steve Alder

UKG (Ultimate Kronos Group), a multinational provider of workforce management and human resources (HR) management services, has proposed a $6 million settlement to resolve claims related to a ransomware attack and data breach that was discovered in 2021. The breach affected several of its healthcare clients, including Allegheny Health Network, Highmark Health, Baptist Health, UF Health, Ascension, Shannon Medical Center, and Franciscan Missionaries of Our Lady Health System.

UKG was formed in 2020 when Ultimate Software acquired Kronos, a Lowell, MA-based workforce management and human capital management cloud provider. On December 11, 2021, suspicious activity was detected in the Kronos private cloud where UKG solutions were deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. Those solutions were disrupted at a time when its healthcare provider clients were experiencing patient surges due to COVID-19 and flu, which left them unable to process employee paychecks for weeks. UKG also confirmed that the hackers exfiltrated sensitive data from the private cloud. The attack reportedly affected around 2,000 of its clients.

Legal action – In re: UKG Inc. Cybersecurity Litigation – was taken by the victims of the breach who alleged UKG had failed to implement reasonable and appropriate safeguards to protect against ransomware attacks, and if those measures had been taken, the ransomware attack would not have succeeded and millions of individuals would not have had their sensitive data compromised and had their paychecks delayed.

UKG chose to settle the lawsuit with no admission of wrongdoing. Under the terms of the proposed settlement, class members are entitled to submit claims of up to $1,000 for unreimbursed ordinary expenses, which include losses traceable to the data breach such as communication charges and bank fees but not lost wages, along with up to 4 hours of lost time at $25 per hour. Any individual that experienced identity theft or fraud can submit a claim for up to $7,500 to recover documented, unreimbursed extraordinary losses.

Members of two subclasses are entitled to additional payments. Individuals who were notified that their sensitive data was exfiltrated and were offered credit monitoring services are entitled to receive a payment of $100 in addition to any claims for ordinary and extraordinary losses. Individuals who were residents of California at the time of the attack will be entitled to receive an additional payment of $30 in addition to any claims submitted.

The deadline for exclusion from and objection to the settlement is September 18, 2023. The deadline for submitting claims is October 3, 2023. The final fairness hearing has been scheduled for November 17, 2023.

The post $6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit appeared first on HIPAA Journal.

HHS-OIG Final Rule Authorizes Information Blocking Penalties of up to $1 Million for Health IT Vendors

Posted by Steve Alder

The civil monetary penalties for health IT companies that are found to be engaging in information blocking have been finalized. Fines of up to $1 million can be imposed per violation.

In 2016, the 21st Century Cures Act made sharing electronic health information the expected norm in healthcare and authorized the Secretary of the Department of Health and Human Services (HHS) to identify reasonable and necessary activities that do not constitute information blocking. In 2020, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) established information blocking provisions and exceptions in the 21st Century Cures Act Final Rule, and new civil monetary penalties were proposed for enforcement. The HHS’ Office of Inspector General (HHS-OIG) has now issued a final rule enacting those penalties for health IT developers of certified health IT and other entities offering certified health IT, health information exchange (HIEs), and health information networks (HINs). Financial penalties can also be imposed on healthcare providers that engage in information blocking; however, those penalties have yet to be finalized, although a final rule on provider penalties is expected soon.

Enforcement of the information blocking penalties will commence 60 days after the publication of the final rule in the Federal Register. HHS-OIG has confirmed that penalties will not be imposed for information blocking conduct that occurs before 60 days after the publication in the Federal Register. HHS-OIG will take various factors into consideration when determining an appropriate financial penalty, including the extent to which information blocking has occurred, how many individuals have been affected, and the harm the information blocking has caused.

HHS-OIG expects to receive large numbers of complaints about information blocking and potentially many more than it can investigate, so its enforcement activities will focus on the most egregious cases, where information blocking has been performed knowingly, over a long period, and if the information blocking has the potential to cause patient harm or impact the ability of healthcare providers to provide care to patients. HHS-OIG may also choose to investigate cases against a single entity in response to large numbers of complaints. HHS-OIG may consider other alternative enforcement approaches rather than imposing civil monetary penalties in the future, but in the short term, it does not anticipate using any other enforcement measures than fines. HHS-OIG has also confirmed its investigation process following the receipt of complaints about perceived information blocking, as detailed in the diagram below.

How HHS-OIG Investigates Complaints of Information Blocking. Source: HHS Office of Inspector General

The civil monetary penalties are expected to help ensure that electronic health information flows to support patient care and will finally give HHS-OIG the authority to act on the hundreds of complaints it received. ONC says that more than 700 complaints about alleged information blocking have been received since April 2021. A recent study published in the Journal of the American Medical Informatics Association (JAMIA) confirmed the extent to which information is believed to be occurring. The study was based on American Hospital Association (AHA) survey data collected between April and September 2021. The researchers found 42% of surveyed hospitals believed they had encountered activity that they perceived to constitute information blocking. In 2022, 12% of hospitals believed healthcare providers were engaging in information blocking practices, down from 36% in 2021; however, perceived information blocking by IT vendors increased between 2021 and 2022. In 2021, 19% of hospitals believed IT vendors were engaging in information blocking, rising to 20% in 2022, and hospitals reported an increase in information blocking by developers of certified health IT, which rose from 17% in 2021 to 22% in 2022.

The post HHS-OIG Final Rule Authorizes Information Blocking Penalties of up to $1 Million for Health IT Vendors appeared first on HIPAA Journal.

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.

Great Valley Cardiology Sued over 181,000-Record Data Breach

Posted by Steve Alder

A lawsuit has been filed against the Commonwealth Health cardiology group, Great Valley Cardiology (GVC), over a recently disclosed security incident in which hackers gained access to GVC’s computer network and the protected health information (PHI) of 181,764 individuals.

The data breach was discovered on April 13, 2023; however, the forensic investigation confirmed that hackers first gained access to its network 2 months previously on February 2, 2023. The review of the files potentially accessed or stolen confirmed they contained PHI such as names, medical information, Social Security numbers, credit/debit card information, and banking information. Individuals started to be notified about the data breach on June 12, 2023, as time was required to identify all affected individuals and verify contact information to allow notification letters to be mailed. Affected individuals were offered 24 months of complimentary credit monitoring and identity theft protection services.

A lawsuit was filed in Lackawanna County Court by attorney Andrew W. Ferich of the law firm Ahdoot & Wolfson, PC, against Commonwealth Health Physician Network, doing business as Great Valley Cardiology and Scranton Cardiovascular Physician Services LLC on behalf of plaintiff Michele Jarrow and similarly situated individuals who had their PHI compromised in the incident.

The defendants have not detected any misuse of patient information as a result of the breach; however, the lawsuit claims that patient information has been exposed and there is no way to ensure that the exposed information will not be misused. Consequently, the plaintiff and class members will need to spend time and money protecting themselves against fraud and identity theft for many years, and potentially for life. The plaintiff claims that she was informed by her security software that her personal information has been posted on the dark web, making it available to cybercriminals such as identity thieves.

In addition to failing to prevent the data breach, the lawsuit takes issue with the time taken to notify affected individuals that their data has been exposed. Notification letters were issued two months after the breach was detected and four months after the breach occurred, which the lawsuit alleges compounded the potential injury. The lawsuit alleges negligence, breach of fiduciary duty breach of contract, and unjust enrichment and seeks class action status, a jury trial, damages, and attorneys’ fees.

Lawsuits are often filed in response to healthcare data breaches, but Article III standing is often only granted if the plaintiffs can prove they have suffered a concrete injury. Lawsuits that only allege a future risk of injury or harm as a result of a security breach often fail to be granted standing, even if stolen data has been published on the dark web.

The post Great Valley Cardiology Sued over 181,000-Record Data Breach appeared first on HIPAA Journal.

Nevada Consumer Health Data Bill Signed into Law

Posted by Steve Alder

The governor of Nevada recently signed a new consumer health data privacy bill into law that strengthens consumer health data privacy and gives Nevada residents new rights over their health data. Senate Bill (SB) 370 was modeled on Washington’s recently enacted “My Health, My Data (MHMD) bill, although is less comprehensive in scope. The new law applies to entities that conduct business in Nevada or produce or provide products or services that are targeted at consumers in Nevada and, either alone or with others, determine the purpose and means of processing, sharing, or selling consumer health data. Exceptions include law enforcement agencies and their contractors, and entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (BLBA).

The new law applies to consumer health data, which is defined as personally identifiable information that is linked to or reasonably capable of being linked to a consumer that a regulated entity uses to identify the past, present, or future health status of a consumer, but excludes information for certain research purposes, public health purposes, FERPA-covered data, and health data collected and shared as authorized by other state or federal laws, and certain other purposes.

Consumer health data includes information about any health condition or status, disease, or diagnosis; social psychological, behavioral, or medical intervention; surgeries or health-related procedures; use or acquisition of medication; bodily functions, vital signs, or symptoms; reproductive or sexual health care; gender-affirming care; biometric/genetic data; precise geolocation information and health information derived or inferred from non-health data.

The new law gives consumers new rights over their health information, including the right to confirm if a covered business is collecting, sharing, or selling their health data, obtain a list of all third parties that their health data has been sold to or shared with, the right to stop a business from processing, sharing, or selling their health data, and the right to have their health data deleted.  In the case of the latter, covered businesses have to delete data and notify affiliates, processors, and contractors of the deletion request within 30 days. Responses to consumer requests are required without undue delay and no later than 45 days after the request is authenticated.

Covered businesses must obtain affirmative, voluntary consent for the collection and sharing of consumer health data and obtain written, signed authorization before the sale of consumer health data is permitted. Covered businesses are required to maintain a consumer health data privacy policy, restrict access to consumer health data to employees and processors that need access to the data, maintain reasonable security practices, and establish a consumer appeals process. A privacy policy must be clearly posted on a covered business’s main Internet site that clearly explains how consumer health data is collected and used, the categories of entities with whom the information will be shared, and clearly explain consumer rights, such as the process for reviewing, requesting changes, and deleting consumer health data. Covered businesses are prohibited from geofencing healthcare facilities (within 1,750 ft) for the purpose of identifying/tracking consumers receiving or seeking healthcare, collecting health data from consumers, or sending health data or healthcare-related notifications, messages, or advertisements to consumers.

The new law takes effect on March 31, 2024, after which date the state Attorney General can impose financial penalties for noncompliance; however, there is no private cause of action, so consumers are unable to take legal action against entities that have violated their privacy through noncompliance with the law.

The post Nevada Consumer Health Data Bill Signed into Law appeared first on HIPAA Journal.