Legal News

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

Posted by HIPAA Journal

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv.

The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients.

In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions.

In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications.

In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates. It is alleged the mailing resulted in the disclosure of the recipient’s HIV status.

According to Ohio Department of Health policies, information related to HIV should only be sent in non-window envelopes. The mailing would have violated those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA breach would need to be reported to the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of the breach; however, the complainant alleges no breach report was submitted to OCR and notifications were not sent to affected individuals – A further breach of HIPAA Rules.

Plaintiffs are seeking punitive and compensatory damages and coverage of their legal costs.

There have been other breaches of HIV information in recent weeks, including a mailing error by a vendor of Aetna. In that case, HIV-related information was visible through the clear plastic windows of envelopes in a mailing to 12,000 individuals. Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200 and is currently suing its mailing vendor to recover the costs. Aetna was also fined by the New York Attorney General over the breach and settled that case for $1.15 million.

The post Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

The post What is HIPAA Certification? appeared first on HIPAA Journal.

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

Posted by HIPAA Journal

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data.

Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration.

The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just 30 days following the date of determination that a security breach has occurred.

Typically, when states propose legislation to improve protections for state residents whose personal information is exposed, organizations in compliance with federal data breach notification laws are deemed to be in compliance with state laws.

However, the new bill clarifies that will not necessarily be the case. Healthcare organizations covered by HIPAA laws have up to 60 days to issue notifications to breach victims. The amended bill states that when federal laws require notifications to be sent, the breached entity will be required to comply with the law with the shortest time frame for issuing notices.

That means HIPAA covered entities who experience a data breach that impacts Colorado residents would have half as long to issue notifications.

The original bill required breached entities to issue notifications to the state attorney general within 7 days of the discovery of a breach impacting 500 or more Colorado residents. The amended bill has seen that requirement relaxed to 30 days following the discovery of a breach of personal information. Further, the state attorney general does not need to be notified of a breach if there has been no misuse of breached data or if data misuse is unlikely to occur in the future.

If the new legislation is passed, Colorado residents will be among the best protected individuals in the United States. Only Florida has introduced such strict time scales for sending notifications to breach victims. Colorado residents would also be much better protected when their data is exposed by a healthcare organization, with the time frame for notification cut in half.

The post Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days appeared first on HIPAA Journal.

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Posted by HIPAA Journal

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes.

The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach.

The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated.

The costs associated with the privacy breach are mounting and Aetna does not believe it should have to cover costs resulting from the (alleged) negligence of a third-party. The health insurer is seeking at least $20 million in damages from the administrative support company – Kurtzman Carson Consultants (KCC) – whose error resulted in the privacy breach.

In the lawsuit, Aetna claims the firm’s errors and omissions amounted to gross negligence and that KCC should have been aware that HIV medication information was detailed under the names and addresses of its plan members. Aetna claims no checks were performed to determine how much information was visible through the windows of the envelopes. Aetna also claims KCC did not communicate to Aetna that envelopes with clear plastic windows were being used for the mailing, and that Aetna’s lawyers were not consulted to give their approval of the mailing.

Aetna did try to resolve matters directly with KCC and sought indemnification; however, the talks failed prompting Aetna to take legal action.

Aetna is seeking a ‘hold harmless’ ruling which will see the Aetna protected from all liability, damages, payments and claims related to the mailing. With the outcome of other lawsuits pending, further investigations being conducted by state attorneys general, and a potential HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights, the final cost of the mailing error is likely to be well in excess of $20 million.

In addition to seeking damages, Aetna is also trying to get KCC to return or destroy all confidential information provided to allow the firm to process the mailing.

KCC denies the allegations and its general counsel, Drake Foster, said Aetna’s claims are ‘demonstrably false.’

It is not only Aetna taking legal action against KCC over the mailing fiasco. A subsidiary of KCC has also filed a lawsuit against Aetna claiming the health insurer failed to protect the privacy of its plan members. The lawsuit was filed in Los Angeles federal court the day after Aetna’s lawsuit was filed in Philadelphia federal court.

In its lawsuit, KCC claims Aetna and its lawyers at Gibson Dunn & Crutcher were provided with samples of the letters and were aware that envelopes with clear plastic windows were being used. KCC claims the letters and the use of the envelopes were both approved.

KCC also claims the confidential information it received in order to send the mailing was not subject to a protection order, and neither was all of the information encrypted during transit to KCC via Gibson Dunn. KCC also claims Aetna shared more information than was necessary to send the mailing: A breach of the minimum necessary standard of HIPAA.

KCC is seeking a declaration that it is not responsible for any of the costs arising from the privacy breach and that all of its legal costs should be covered by Aetna.

The post Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach appeared first on HIPAA Journal.

Nebraska Personal Information Bill Advances After 34-0 First Round Vote

Posted by HIPAA Journal

On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers.

The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack.

The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced.

According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority.

It was not only the scale of the Equifax breach that was galling for Se. Morfield, but the actions of Equifax following the breach. The company only provided 12 months of free credit monitoring services to breach victims, after which consumers would be charged to protect themselves. Many consumers were also forced to pay out of pocket to freeze their accounts, as those services were not provided free of charge. While free credit monitoring services were offered, chargeable credit freezes were advertised on the same site.

Nebraska Attorney General Doug Peterson also spoke out about the actions of Equifax, claiming the firm was “seemingly using its own data breach as an opportunity to sell services to breach victims.”

The bill proposes credit reporting agencies should not be permitted to charge consumers fees for placing and removing credit freezes on accounts” after a credit reporting agency experiences a security breach that exposes consumer data.

The bill originally called for such breaches to require a lifetime of free credit reporting services to be provided to breach victims, although that attracted considerable criticism from the industry and the bill was amended.

In addition to free credit reporting and credit freezes, the bill would require credit agencies to maintain “reasonable security procedures and practices,” to ensure the confidentiality of any consumer data held, and also for any third-party companies that are provided with consumer data by the agencies to also ensure they have reasonable security measures in place. The bill would give the state attorney general greater powers to pursue legal action against companies and collect damages on behalf of consumers.

While the bill is primarily concerned with protecting consumers from data breaches experienced by credit monitoring and reporting agencies, the bill requires any “individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains data that includes personal information about a resident of Nebraska,” to implement and maintain reasonable security measures to protect the data of state residents.

If a company or organization complies with federal legislation that provides the same or greater levels of protection for consumers, it would be deemed to be in compliance with the requirements of Legislative Bill 757 – For example, organizations that comply with the Gramm-Leach-Bliley Act or HIPAA.

While there was a unanimous vote in favor of the bill, some Senators were concerned about the impact such a bill would have on consumers and the credit monitoring and reporting industry. Some senators have requested further information on the bill, with Sen. Paul Schumacher of Columbus concerned that the bill may result in significant cost increases for consumers. However, despite concerns, the bill was passed 34-0.

Before the bill is written into the state legislature it is required to pass two further votes.

The post Nebraska Personal Information Bill Advances After 34-0 First Round Vote appeared first on HIPAA Journal.

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

Posted by HIPAA Journal

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information.

CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules.

CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings.

CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident.

The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million.

A lawsuit was filed by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy alleges the mismailing was due to negligence by its subcontractor, and the $1.8 payment was made as a direct result of that negligence. CVS Pharmacy maintains the breach was fully under the control of its subcontractor.

CVS Pharmacy alleged the mail service owed it a duty of reasonable care and that duty of care was breached. Since PHI was improperly disclosed and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to send notifications to the 41 plan members, which the complainant claims caused damage its reputation.

The mail service sought to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that required the $1.8 million payment. The mail service also contended that its indemnification provisions were not intended to cover this type of payment.

However, the federal court declined to dismiss the CVS Pharmacy’s lawsuit. The court ruled that the indemnification provisions of the subcontractor were broad enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation since it was not a party or third-party beneficiary to the contact. The court also ruled that CVS Pharmacy sufficiently alleged negligence based on the breach of duty.

Losses were also suffered as a result of that negligence, as CVS Pharmacy had to make a sizeable payment to the health plan in addition to covering the cost of issuing notifications to the plan members whose PHI was disclosed. Consequently, the motion to dismiss the case was denied.

The post Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss appeared first on HIPAA Journal.

Breach Notification Bill Passes South Dakota Senate Judiciary Committee

Posted by HIPAA Journal

At present, South Dakota is one of two states that do not have breach notification laws (Alabama being the other), but that could soon change if proposals passed by the Senate Judiciary Committee last Tuesday are enacted by the South Dakota State Legislature.

The proposed bill – SB 62 (PDF) – would amend Chapter 22-40 of the Codified Laws relating to identity crimes, and require companies maintaining computerized information about South Dakota residents to inform consumers of “unauthorized acquisition” of their personal data.

If enacted, the bill stipulates residents have to be informed within sixty days of discovery of a breach unless the company and the State Attorney General´s Office determine the breach will unlikely cause harm to those whose data has been acquired without authorization.

Under the proposed laws, extensions to the sixty-day limit are allowed if more time is required for law enforcement agencies to investigate the breach; and, if the breach involves more than 250 South Dakota residents, companies must notify consumer reporting agencies of the timing, distribution, and content of the breach notification sent to affected residents.

How This Might Affect HIPAA-Covered Entities

Although the bill mostly uses HIPAA´s definition of Protected Health Information to determine what constitutes “personal data”, the definition of biometric data is slightly amended to “that generated from measurements or analysis of human body characteristics for authentication purposes”.

A more significant dissimilarity with the HIPAA is that affected residents of South Dakota have to be notified of a breach within sixty days, rather than the ninety days mandated by the Breach Notification Rule. There is also the requirement to notify consumer reporting agencies of a breach affecting more than 250 residents (rather than informing HHS of breaches involving more than 500 records).

HIPAA-Covered Entities and Business Associates maintaining the personal data of South Dakota residents will be deemed to be in compliance with the proposals unless it is subsequently proven otherwise. Organizations unsure about their HIPAA Compliance should seek professional advice as the proposed penalties for non-compliance with South Dakota´s breach notification law are significant.

Penalties for Non-Compliance with the Proposed Bill

The bill places the responsibility for investigating non-compliance with the South Dakota Attorney General´s Office, and gives the Attorney General the authority to impose a civil penalty of up to $10,000 per violation per day plus the costs of pursuing civil action.

The bill also allows the State to impose civil penalties of up to $2,000 per violation per day under it “Deceptive Trade Practices and Consumer Protection Law” (§37-24-27). The criteria for falling foul of this law is that a company knew, or should have known, it had a legal duty to notify consumers of a breach of their personal information.

The post Breach Notification Bill Passes South Dakota Senate Judiciary Committee appeared first on HIPAA Journal.