Legal News

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

Posted by HIPAA Journal

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data.

Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration.

The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just 30 days following the date of determination that a security breach has occurred.

Typically, when states propose legislation to improve protections for state residents whose personal information is exposed, organizations in compliance with federal data breach notification laws are deemed to be in compliance with state laws.

However, the new bill clarifies that will not necessarily be the case. Healthcare organizations covered by HIPAA laws have up to 60 days to issue notifications to breach victims. The amended bill states that when federal laws require notifications to be sent, the breached entity will be required to comply with the law with the shortest time frame for issuing notices.

That means HIPAA covered entities who experience a data breach that impacts Colorado residents would have half as long to issue notifications.

The original bill required breached entities to issue notifications to the state attorney general within 7 days of the discovery of a breach impacting 500 or more Colorado residents. The amended bill has seen that requirement relaxed to 30 days following the discovery of a breach of personal information. Further, the state attorney general does not need to be notified of a breach if there has been no misuse of breached data or if data misuse is unlikely to occur in the future.

If the new legislation is passed, Colorado residents will be among the best protected individuals in the United States. Only Florida has introduced such strict time scales for sending notifications to breach victims. Colorado residents would also be much better protected when their data is exposed by a healthcare organization, with the time frame for notification cut in half.

The post Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days appeared first on HIPAA Journal.

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Posted by HIPAA Journal

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes.

The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach.

The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated.

The costs associated with the privacy breach are mounting and Aetna does not believe it should have to cover costs resulting from the (alleged) negligence of a third-party. The health insurer is seeking at least $20 million in damages from the administrative support company – Kurtzman Carson Consultants (KCC) – whose error resulted in the privacy breach.

In the lawsuit, Aetna claims the firm’s errors and omissions amounted to gross negligence and that KCC should have been aware that HIV medication information was detailed under the names and addresses of its plan members. Aetna claims no checks were performed to determine how much information was visible through the windows of the envelopes. Aetna also claims KCC did not communicate to Aetna that envelopes with clear plastic windows were being used for the mailing, and that Aetna’s lawyers were not consulted to give their approval of the mailing.

Aetna did try to resolve matters directly with KCC and sought indemnification; however, the talks failed prompting Aetna to take legal action.

Aetna is seeking a ‘hold harmless’ ruling which will see the Aetna protected from all liability, damages, payments and claims related to the mailing. With the outcome of other lawsuits pending, further investigations being conducted by state attorneys general, and a potential HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights, the final cost of the mailing error is likely to be well in excess of $20 million.

In addition to seeking damages, Aetna is also trying to get KCC to return or destroy all confidential information provided to allow the firm to process the mailing.

KCC denies the allegations and its general counsel, Drake Foster, said Aetna’s claims are ‘demonstrably false.’

It is not only Aetna taking legal action against KCC over the mailing fiasco. A subsidiary of KCC has also filed a lawsuit against Aetna claiming the health insurer failed to protect the privacy of its plan members. The lawsuit was filed in Los Angeles federal court the day after Aetna’s lawsuit was filed in Philadelphia federal court.

In its lawsuit, KCC claims Aetna and its lawyers at Gibson Dunn & Crutcher were provided with samples of the letters and were aware that envelopes with clear plastic windows were being used. KCC claims the letters and the use of the envelopes were both approved.

KCC also claims the confidential information it received in order to send the mailing was not subject to a protection order, and neither was all of the information encrypted during transit to KCC via Gibson Dunn. KCC also claims Aetna shared more information than was necessary to send the mailing: A breach of the minimum necessary standard of HIPAA.

KCC is seeking a declaration that it is not responsible for any of the costs arising from the privacy breach and that all of its legal costs should be covered by Aetna.

The post Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach appeared first on HIPAA Journal.

Nebraska Personal Information Bill Advances After 34-0 First Round Vote

Posted by HIPAA Journal

On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers.

The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack.

The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced.

According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority.

It was not only the scale of the Equifax breach that was galling for Se. Morfield, but the actions of Equifax following the breach. The company only provided 12 months of free credit monitoring services to breach victims, after which consumers would be charged to protect themselves. Many consumers were also forced to pay out of pocket to freeze their accounts, as those services were not provided free of charge. While free credit monitoring services were offered, chargeable credit freezes were advertised on the same site.

Nebraska Attorney General Doug Peterson also spoke out about the actions of Equifax, claiming the firm was “seemingly using its own data breach as an opportunity to sell services to breach victims.”

The bill proposes credit reporting agencies should not be permitted to charge consumers fees for placing and removing credit freezes on accounts” after a credit reporting agency experiences a security breach that exposes consumer data.

The bill originally called for such breaches to require a lifetime of free credit reporting services to be provided to breach victims, although that attracted considerable criticism from the industry and the bill was amended.

In addition to free credit reporting and credit freezes, the bill would require credit agencies to maintain “reasonable security procedures and practices,” to ensure the confidentiality of any consumer data held, and also for any third-party companies that are provided with consumer data by the agencies to also ensure they have reasonable security measures in place. The bill would give the state attorney general greater powers to pursue legal action against companies and collect damages on behalf of consumers.

While the bill is primarily concerned with protecting consumers from data breaches experienced by credit monitoring and reporting agencies, the bill requires any “individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains data that includes personal information about a resident of Nebraska,” to implement and maintain reasonable security measures to protect the data of state residents.

If a company or organization complies with federal legislation that provides the same or greater levels of protection for consumers, it would be deemed to be in compliance with the requirements of Legislative Bill 757 – For example, organizations that comply with the Gramm-Leach-Bliley Act or HIPAA.

While there was a unanimous vote in favor of the bill, some Senators were concerned about the impact such a bill would have on consumers and the credit monitoring and reporting industry. Some senators have requested further information on the bill, with Sen. Paul Schumacher of Columbus concerned that the bill may result in significant cost increases for consumers. However, despite concerns, the bill was passed 34-0.

Before the bill is written into the state legislature it is required to pass two further votes.

The post Nebraska Personal Information Bill Advances After 34-0 First Round Vote appeared first on HIPAA Journal.

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

Posted by HIPAA Journal

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information.

CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules.

CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings.

CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident.

The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million.

A lawsuit was filed by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy alleges the mismailing was due to negligence by its subcontractor, and the $1.8 payment was made as a direct result of that negligence. CVS Pharmacy maintains the breach was fully under the control of its subcontractor.

CVS Pharmacy alleged the mail service owed it a duty of reasonable care and that duty of care was breached. Since PHI was improperly disclosed and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to send notifications to the 41 plan members, which the complainant claims caused damage its reputation.

The mail service sought to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that required the $1.8 million payment. The mail service also contended that its indemnification provisions were not intended to cover this type of payment.

However, the federal court declined to dismiss the CVS Pharmacy’s lawsuit. The court ruled that the indemnification provisions of the subcontractor were broad enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation since it was not a party or third-party beneficiary to the contact. The court also ruled that CVS Pharmacy sufficiently alleged negligence based on the breach of duty.

Losses were also suffered as a result of that negligence, as CVS Pharmacy had to make a sizeable payment to the health plan in addition to covering the cost of issuing notifications to the plan members whose PHI was disclosed. Consequently, the motion to dismiss the case was denied.

The post Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss appeared first on HIPAA Journal.

Breach Notification Bill Passes South Dakota Senate Judiciary Committee

Posted by HIPAA Journal

At present, South Dakota is one of two states that do not have breach notification laws (Alabama being the other), but that could soon change if proposals passed by the Senate Judiciary Committee last Tuesday are enacted by the South Dakota State Legislature.

The proposed bill – SB 62 (PDF) – would amend Chapter 22-40 of the Codified Laws relating to identity crimes, and require companies maintaining computerized information about South Dakota residents to inform consumers of “unauthorized acquisition” of their personal data.

If enacted, the bill stipulates residents have to be informed within sixty days of discovery of a breach unless the company and the State Attorney General´s Office determine the breach will unlikely cause harm to those whose data has been acquired without authorization.

Under the proposed laws, extensions to the sixty-day limit are allowed if more time is required for law enforcement agencies to investigate the breach; and, if the breach involves more than 250 South Dakota residents, companies must notify consumer reporting agencies of the timing, distribution, and content of the breach notification sent to affected residents.

How This Might Affect HIPAA-Covered Entities

Although the bill mostly uses HIPAA´s definition of Protected Health Information to determine what constitutes “personal data”, the definition of biometric data is slightly amended to “that generated from measurements or analysis of human body characteristics for authentication purposes”.

A more significant dissimilarity with the HIPAA is that affected residents of South Dakota have to be notified of a breach within sixty days, rather than the ninety days mandated by the Breach Notification Rule. There is also the requirement to notify consumer reporting agencies of a breach affecting more than 250 residents (rather than informing HHS of breaches involving more than 500 records).

HIPAA-Covered Entities and Business Associates maintaining the personal data of South Dakota residents will be deemed to be in compliance with the proposals unless it is subsequently proven otherwise. Organizations unsure about their HIPAA Compliance should seek professional advice as the proposed penalties for non-compliance with South Dakota´s breach notification law are significant.

Penalties for Non-Compliance with the Proposed Bill

The bill places the responsibility for investigating non-compliance with the South Dakota Attorney General´s Office, and gives the Attorney General the authority to impose a civil penalty of up to $10,000 per violation per day plus the costs of pursuing civil action.

The bill also allows the State to impose civil penalties of up to $2,000 per violation per day under it “Deceptive Trade Practices and Consumer Protection Law” (§37-24-27). The criteria for falling foul of this law is that a company knew, or should have known, it had a legal duty to notify consumers of a breach of their personal information.

The post Breach Notification Bill Passes South Dakota Senate Judiciary Committee appeared first on HIPAA Journal.

New Bill Proposes to Amend Iowa Breach Notification Act

Posted by HIPAA Journal

A new bill introduced by Iowa Attorney General Tom Miller will, if implemented, extend the definition of a data breach to include medical information, health insurance information and personal information that previously had to be combined with other individual identifiers before a breach was classified as a breach.

Since 2014, data breaches affecting more than five hundred Iowa residents have had to be reported to the director of the consumer protection division of the office of the Iowa Attorney General. More than 120 breaches have been notified in the past four years including those at Anthem Blue Cross, Banner Health and Medical Informatics Engineering.

The relatively low number of reported breaches implies that either the personal data of Iowa residents is remarkably secure, or that hacked entities are failing to notify the Attorney General´s office as required. AG Tom Miller intends to find out which by introducing an amendment to the state´s current Breach Notification Act that extends the definition of a data breach.

Medical and Health Insurance Information to be Included

Currently, entities experiencing a data breach only have to notify the Attorney General´s office if the data breached includes a social security number, a driver license number, or unique biometric data – or if the breach includes financial data that “in combination with any required expiration date, security code or password would permit access to an individual´s financial account”.

AG Miller´s amendment proposes to remove the “in combination with” requirement, so any breach of financial data is notifiable. It will also add medical information, health insurance information and personal information such as tax identification numbers to the list of notifiable breaches. There is also a proposal to change the current notification period of “without reasonable delay” to forty-five days.

Loopholes Closed over Encryption and Personal Harm Exclusions

Other proposed changes to the Iowa Breach Notification Act include closing some of the loopholes entities can use to avoid notifying the Attorney General´s office of a breach. Currently an entity does not have to report a breach if the accessed data is encrypted. If AG Miller´s proposals are enacted, this exclusion will only apply if data is encrypted to 128-bit standard or higher.

Entities can also avoid reporting a breach if it can be shown there is a reasonable likelihood the breach will not result in “financial harm” to individuals. The amendment proposes the removal of the word “financial” (so a breach with the potential for “any harm” now has to be notified) and stipulates that, if it is determined no harm is reasonably likely, a written justification of the determination should be sent to the Attorney General´s office within five days.

Will the Amendment Result in Better Protection for Iowa Residents?

Announcing the introduction of the amendment, assistant Iowa Attorney General Nathan Blake said; “We wanted to make sure the laws on the books are protecting consumers sufficiently.” However, rather than enhance consumer protection, the proposed amendment to the Iowa Breach Notification Act does little more than close loopholes that should not have been present in the original legislation.

The likely outcome is that Iowa residents will be no better protected against data theft than they are now, and that the number of data breaches reported in Iowa will increase. Quite possibly – in the long term – an increase in reported breaches may result in tougher data protection laws being introduced. However, in the short term, the only issue the amendment will resolve is whether there has been significant under-reporting of data breaches in Iowa since 2014.

The post New Bill Proposes to Amend Iowa Breach Notification Act appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Posted by HIPAA Journal

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

Posted by HIPAA Journal

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.