Legal News

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

Posted by HIPAA Journal

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote.

Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law.

The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement.

Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be harmed as a result of the breach.

A breach is defined as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The law would apply to personal information, which is limited to the full name or initial and last name in conjunction with the following data elements:

Social Security number, driver’s license number, unique government ID number, medical information, health insurance information, employment ID number with associated security code, account or credit/debit card numbers in conjunction with security codes, passwords, PINs or access codes that would permit access to those accounts, biometric data used for authentication purposes, and email addresses, in combination with passwords/security question answers, or other information that permits access to an online account.

The breach notifications would need to be made in writing or electronically if the breach victim is usually contacted in that manner. If the cost of notification exceeds $250,000 or more than 500,000 individuals have been impacted, or if insufficient contact information is held on the breach victims, a substitute breach notice would be acceptable. Substitute notices would need to include an email notice – if a valid email address is held, a conspicuous posting on the entity’s website, and a notice to statewide media. Breaches impacting more than 250,000 individuals would also require notification to be provided to credit reporting agencies.

If passed, the South Dakota Attorney General would be authorized to bring an action against the breached entity over the failure to comply with the law. The maximum civil penalty would be $10,000 per day, per violation. Attorney’s fees and other costs associated with the action would also be recoverable.

The South Dakota breach notification law would apply to all entities doing business in the state of South Dakota, although entities in compliance with federal laws that have breach reporting requirements would be deemed to be in compliance with the requirements of the proposed law.

The post Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill appeared first on HIPAA Journal.

Colorado Considers New Privacy and Data Breach Legislation

Posted by HIPAA Journal

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws.

The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII:

Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information.

Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key to unlock the encryption is also compromised.

Organizations that store the PII of state residents would be required to implement controls to ensure the privacy and confidentiality of PII. The proposed legislation does not include details of the types of security protections, procedures, and practices that must be implemented to keep personally identifiable information secure, only that the security measures be “appropriate to the nature of the personally identifying information and the nature and size of the business and its operations.”

Any entity that wishes to disclose PII to a third party must communicate to that entity that the PII must be protected and secured at all times, including the use of technology, procedures and practices. They must be appropriate to the sensitivity of the data and be reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.

If PII is no longer required, the information must be securely and permanently destroyed, whether the information is in paper form or stored on electronic devices. Policies covering the destruction of data are required in writing.

For paper records, this would likely mean burning, pulping, pulverizing, or shredding. For electric devices, data would need to be securely erased to prevent reconstruction. Typical methods include degaussing – the exposure of the device to strong magnetic fields, the use of software to overwrite media to prevent reconstruction of data, or destroying the media by pulverization, disintegration, melting, shredding, or incineration.

In the event of a breach of PII, the maximum time limit for issuing notifications would be 45 days from the discovery of a breach. Currently there is no stipulated maximum time frame for issuing notifications. Notifications must currently be issued “in the most expedient time and without unreasonable delay.”

A notification would also need to be sent to the state attorney general no later than 7 days following the discovery of a breach that impacts 500 or more individuals.

As is the case in California and several other states, the legislation stipulates the content that must be included in the breach notification letters.  The date of the breach must be communicated, or a reasonable estimate if it is not known, a description of the PII that has been compromised, contact information, a toll-free number to call for further information, contact details of consumer reporting agencies and the FTC, and information on how credit freezes and security alerts can be set.

The legislation would also authorize the Colorado Attorney General to initiate criminal investigations and legal proceedings against organizations that fail to comply with the legislation

The post Colorado Considers New Privacy and Data Breach Legislation appeared first on HIPAA Journal.

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Posted by HIPAA Journal

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor.

For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease.

Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced to leave their homes by flat mates and relatives. Others have had personal and family relationships severely damaged as a result of the disclosure.

The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., filed a lawsuit in August seeking damages for the victims of the breach. That lawsuit has been settled for $17,161,200 by Aetna, pending Court approval, with no admission of liability. The settlement also requires Aetna to update its policies and procedures to ensure similar privacy breaches are prevented in the future.

There were two alleged breaches of privacy. There was an improper disclosure of protected health information to Aetna’s legal counsel in July, in addition to the mailing of the Benefit Notices that revealed patients were taking HIV medications. Those privacy breaches violated the Health Insurance Portability and Accountability Act (HIPAA) and several state laws according to the lawsuit.

Individuals who had their PHI improperly disclosed will receive a base payment of $75, while class members who were sent the envelopes with the clear plastic windows will receive a base payment of $500. There are almost 1,600 individuals who will receive the $75 payment and almost 12,000 who will receive a payment of $500.

A fund has also been set up for individuals who have suffered additional harm or losses as a result of the disclosure. Those individuals can apply for additional funds by completing a claim form documenting the financial and non-financial harm they have suffered as a result of the privacy breach.

“Through our outreach efforts, immediate relief program, and this settlement we have worked to address the potential impact to members following this unfortunate incident,” said a spokesperson for Aetna. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

The post Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

Posted by HIPAA Journal

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations

Posted by HIPAA Journal

There is no private cause of action in the Health Insurance Portability and Accountability Act, so patients are not permitted to sue healthcare providers for privacy violations.

However, there have been rulings in several states, including New York, Missouri, and Massachusetts, allowing patients to file lawsuits against healthcare providers over unauthorized and negligent disclosures of medical records.

Following a ruling by the Connecticut Supreme Court last week, Connecticut residents will be permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm.

The legal precedent was set by the Supreme Court in the case Byrne v. Avery Center for Obstetrics & Gynecology.

Emily Byrne filed a lawsuit against Avery Center for Obstetrics and Gynecology (ACOG) after her medical records were disclosed to a man seeking custody of her child in a paternity suit.

ACOG was issued with a subpoena to appear before an attorney and supply Byrne’s medical records. ACOG did not challenge the subpoena, made no attempt to limit disclosure, and simply mailed a copy of Byrne’s medical file to the New Haven Regional Children’s Probate Court, where the records were made available to the man seeking custody of her child.

Byrne and her attorney, Bruce L. Elstein of Trumbull, claimed this amounted to negligence and breach of contract. ACOG claimed that under HIPAA Rules, patient consent was not required before medical records were disclosed in response to a subpoena.

Byrne argued that HIPAA creates a standard of care for patient medical records, and Avery violated that standard by releasing her records. Byrne lost the case in the Superior Court, which ruled that HIPAA does not permit private suits to be filed against healthcare providers for HIPAA violations. Byrne appealed, and the case was heard by the Supreme Court, which ruled in 2014 that HIPAA could be used as a standard of care for common law claims.

The case went before the Supreme Court for a second time after the trial court deferred the case as no courts had addressed the issue of negligence.  The Supreme Court disagreed with ACOG’s argument that patient consent is not required before medical records are disclosed in response to a subpoena, saying federal laws require the provider to have “satisfactory assurances” that a patient has been given notice about the request.

In this case, satisfactory assurances had not been obtained. Justice Dennis G. Eveleigh wrote, “the defendant did not even comply with the face of the subpoena.”

In the ruling, Justice Eveleigh wrote, “The dispositive issue in this appeal is whether a patient has a civil remedy against a physician if that physician, without the patient’s consent, discloses confidential information obtained in the course of the physician-patient relationship.’’

“We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.”

“Finally, we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages,” said Elstein.

The post Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations appeared first on HIPAA Journal.

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

Posted by HIPAA Journal

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office.

MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.

In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed.

Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also enhanced, including the use of encryption on all portable computers used to store the sensitive information of Medicaid recipients.

The Massachusetts attorney general’s office investigated the breach and determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” Had those measures been implemented prior to the laptop theft, a breach of sensitive information could have been avoided.

Specifically, MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.

A consent judgement against MBS was obtained by Massachusetts attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.

Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”

The post Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000 appeared first on HIPAA Journal.

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

Posted by HIPAA Journal

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI.

The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases.

21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That investigation uncovered multiple potential violations of HIPAA Rules.

OCR determined that 21st Century Oncology failed to conduct a comprehensive, organization-wide risk assessment to determine the potential risks to the confidentiality, integrity, and availability of electronic protected health information, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

21st Century Oncology was also determined to have failed to implement sufficient measures to reduce risks to an appropriate and acceptable level to comply with 45 C.F.R. § 164.306(A).

21st Century Oncology also failed to implement procedures to regularly review logs of system activity, including audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. §164.308(a)(1)(ii)(D).

The breach resulted in the impermissible disclosure of the protected health information of 2,213,597 patients.

Further, protected health information of patients was disclosed to business associates without first entering into a HIPAA-compliant business associate agreement and obtaining satisfactory assurances that HIPAA requirements would be followed.

To resolve those potential HIPAA violations, 21st Century Oncology agreed to pay OCR $2.3 million. In addition to the financial settlement, 21st Century Oncology has agreed to adopt a comprehensive corrective action plan (CAP) to bring its policies and procedures up to the standards demanded by HIPAA.

Under the CAP, 21st Century Oncology must appoint a compliance officer, revise its policies and procedures with respect to system activity reviews, access establishment, modification and termination, conduct an organization-wide risk assessment, develop internal policies and procedures for reporting violations of HIPAA Rules, and train staff on new policies.

21st Century Oncology is also required to engage a qualified, objective, and independent assessor to review compliance with the CAP.

Separate $26 Million Settlement Resolves Meaningful Use, Stark Law, and False Claims Act Violations

In addition to the OCR settlement to resolve potential HIPAA violations, 21st Century Oncology has also agreed to a $26 million settlement with the Department of Justice to resolve allegations that it submitted false or inflated Meaningful Use attestations in order to receive incentive payments. 21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. Fabricated reports were also submitted, and the logos of EHR vendors were superimposed on reports to make them appear genuine.

The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals, and also violations of the Stark Law, which covers physician self-referrals.

According to the Department of Justice, “The Stark Law prohibits an entity from submitting claims to Medicare for designated health services performed pursuant to referrals from physicians with whom the entity has a financial relationship unless certain designated exceptions apply.”

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

Lawsuits Filed for Alleged HIPAA and HITECH Act Violations

Posted by HIPAA Journal

Two lawsuits have been filed against healthcare organizations over alleged HIPAA and HITECH Act violations.

60 Hospitals Named in Lawsuit Alleging HITECH Act Violations

A recently unsealed complaint, filed in a U.S. District Court in Indiana in 2016, seeks more than $1 billion in damages from 60 hospitals that received HITECH Act meaningful use incentive payments for transitioning to electronic health records, yet failed to meet the requirements of the HITECH Act with respect to providing patients, and their legal representatives, with copies of health records promptly on request.

In order to receive incentive payments, one of the requirements was for hospitals to attest that for at least 50% of patients, they were able to provide copies of medical records within 3 business days of requests being submitted. When copies of health records are requested, the HITECH Act only permits healthcare organizations to charge for labor costs for supplying copies of records.

Michael Misch and Bradley Colborn, attorneys with Anderson, Agostino & Keller, P.C., of South Bend Indiana, investigated hospitals after growing frustrated with the delay in obtaining copies of health records at their clients’ request, and over the amounts being charged for copies of health records.

The aim of the investigation was to streamline requests, reduce the time taken to obtain copies of health records, and reduce the cost of accessing those records. However, the investigation revealed that many hospitals were failing to meet the requirements of the HITECH Act, even though they had received incentive payments for compliance.

In the complaint, it is alleged that 60 hospitals received payments of $324.4 million in HITECH Act grant funding, yet failed to meet the requirements of the HITECH Act when it came to providing copies of health records of patients. The lawsuit also alleges the hospitals violated the Anti-Kickback Statute and the False Claims Act; falsely claiming compliance with HITECH Act to gain access to public funding.

Patient Sues BJC Health System Over Barnes-Jewish Hospital Breach

A patient whose protected health information was exposed as a result of a security breach at Barnes-Jewish Hospital in St. Louis, MO, has filed a complaint in the St. Louis Circuit Court against the hospital operator, BJC Health System.

Megan L. Rosemann claims BJC Health System allowed unauthorized individuals to gain access to the protected health information of patients and failed to adequately protect patient data. She alleges BJC Health System was negligent and breached its fiduciary duty.

Rosemann claims the exposure of her information places her at an increased risk of identity theft, abuse, and exploitation. The lawsuit names Rosemann as the plaintiff, along with other individuals affected by the breach. Rosemann is seeking a class certification and trial by jury. A jury trial has been scheduled for May 14, 2018.

BJC Healthcare reported the unauthorized accessing of an email account to the Department of Health and Human Services’ Office for Civil Rights on February 26, 2016. The breach impacted 2,393 patients. The case is still marked as under investigation by OCR.

The post Lawsuits Filed for Alleged HIPAA and HITECH Act Violations appeared first on HIPAA Journal.

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

Posted by HIPAA Journal

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang.

Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive.

Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord.

In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he was not responsible for the hack.

During the course of that investigation, Wyatt’s computer was seized. An analysis of the device revealed he had been involved in other crimes. Initially, Wyatt was arrested for using a false identity document and fraud offenses in January this year, and was arrested a second time in March for blackmail offenses.

Police discovered that Wyatt had used stolen credentials to apply for a payment card, although the application was denied. Wyatt had also used his deceased step father’s credit card to make a string of online purchases, including purchases of computer games and mobile phones. Wyatt racked up debts in the region of £4,750 on the card, according to the Northamptonshire Telegraph.

An extortion attempt saw Wyatt use the name “The Dark Overlords” on a ransom demand in which he attempted to obtain a payment of €10,000 in Bitcoin from a UK legal firm. Wyatt stole around 10,000 files from the unnamed Humberside law firm using malware to gain access to the files on the law firm’s server.

In that extortion attempt, Wyatt said that he was planning to sell the stolen files to buyers in Russia and China if the ransom demand wasn’t paid. The files included scans of driver’s licenses and passports. It is unclear whether Wyatt hacked the law firm or if he used stolen credentials to gain access to its system to install malware.

Wyatt’s partner, Kelly Walker, 35, was also arrested and charged with handling stolen goods and encouraging or assisting offenses, but she was acquitted when prosecutors failed to provide any evidence to support the charges.

It is unclear whether Wyatt was a core member of the Dark Overlord hacking group, a fringe player, or if he was a copycat that used the group’s name. Dissent from Databreaches.net pointed out in a recent blog post that Wyatt was allegedly supposed to make a call to one of the Dark Overlord’s victims in Georgia to put pressure on the clinic to pay the ransom demand. Wyatt was also allegedly responsible for opening back accounts in the UK on behalf of the Dark Overlord to take payments sent from hacking victims in the United States.

Wyatt is likely to be released in 18 months. In the UK, prisoners serving between 1 and 4-year jail terms are usually released after they have served half of their sentence, with the rest of the sentence served on probation. Wyatt has not been charged for any offenses in the United States.

The post 3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group appeared first on HIPAA Journal.