Legal News

5 Year Jail Term Upheld for Clinic Worker Who Stole PHI

Posted by HIPAA Journal

A clinic worker who stole the protected health information of mentally ill patients and sold the data to identity thieves has failed to get his 5-year jail term reduced.

Jean Baptiste Alvarez, 43, of Aldan, PA, stole daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility in Philadelphia. The census sheets contained all the information needed to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth and other personally identifiable information.

Alvarez had the opportunity to steal the data undetected, as the floor where the sheets were kept did not have security cameras.

Alvarez was paid $1,000 per census sheet by his to-co-conspirators, who used the information to submit 164 fraudulent tax returns in the names of the patients, resulting in a loss of $232,612 in tax revenue for the IRS.

In early 2016, Alvarez was found guilty of conspiracy to defraud, misuse of Social Security numbers, and aggravated identity theft. The latter carried a minimum sentence of 2 years. The maximum sentence for all counts was 24 years in jail, a maximum of three years of supervised release, and potentially a fine.

Judge Michael M. Baylson invoked the vulnerable victim enhancement, and Alvarez was sentenced to 5 years in jail for his crimes, 3 years of supervised release, was ordered to pay $266,985 in restitution, and a $500 special assessment fine.

Alvarez appealed the sentence claiming it was excessively harsh as his victims were not “vulnerable.” He also explained that he did not target the patients because they were mentally ill and had drug addiction issues. He only stole the information because he had access to it.

However, the U.S. Court of Appeals for the Third Circuit rejected his appeal to have the sentence reduced, ruling that Alvarez’s argument was without merit. The victims were suffering from mental health and addition issues and were vulnerable.  Judge D. Michael Fisher also noted that since the patients were not working, the IRS was unlikely to detect the fraud as there would not be any duplicate claim. The patients would similarly be unlikely to discover they had been defrauded due to their mental health issues. The 5-year jail term stands.

The case serves as a warning to healthcare workers that the theft of patients’ personal information can result in lengthy jail terms. The Department of Justice is aggressively pursuing cases of PHI theft, identity theft, and tax fraud, and is punishing criminals to the full extent of the law.

The post 5 Year Jail Term Upheld for Clinic Worker Who Stole PHI appeared first on HIPAA Journal.

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

Posted by HIPAA Journal

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur.

The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses.

The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year.

Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no obligations for businesses to implement safeguards to secure the personal identifying information of New Yorkers if the data held on residents does not include a Social Security number.

The SHIELD Act will require all businesses, regardless of where they are based, to adopt reasonable administrative, physical, and technical safeguards for if they hold the sensitive data of New Yorkers. The laws will also apply if entities do not do business in the state of New York.

While many states have introduced data breach notification laws that require individuals impacted by breaches of information such as username/password combos and biometric data to be notified of the incidents, in New York, there are no such requirements. The Shield Act will change that and bring state laws in line with many other U.S. states.

Breach notification requirements will be updated to include breaches of username/password combos, biometric data, and protected health information covered by HIPAA laws. Breach notifications will be required if unauthorized individuals are discovered to have gained access to personal information as well as in cases of data theft.

Attorney General Schneiderman is encouraging businesses to go above and beyond the requirements of the SHIRLD Act and receive independent certification of their security controls to make sure they exceed the minimum required standards.

A flexible standard is being introduced for small businesses to ease the regulatory burden. Safeguards can be appropriate to the organization’s size for businesses employing fewer than 50 members of staff if gross revenue is under $3 million or they have less than $5 million in assets.

HIPAA-covered entities, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS regulations will be deemed to already be compliant with the data security requirements of the SHIELD Act.

The failure to comply with the provisions of the SHIELD Act will be deemed to be a violation of General Business Law (GBL § 349) and will allow the state attorney general to bring suit and seek civil penalties under GBL § 350(d).

The post Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG appeared first on HIPAA Journal.

Employees Sue Lincare Over W2 Phishing Attack

Posted by HIPAA Journal

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data.

The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker.

This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees.

Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data.

Three former Lincare employees whose PII was disclosed in February have been named in a class-action lawsuit against the firm. The plaintiffs are seeking damages for the exposure of their PII, credit monitoring and identity theft protection services for 25 years, and 25 years of coverage by an identity theft insurance policy. Lincare previously offered 24 months of complimentary credit monitoring and identity theft protection services to employees affected by the incident.

The plaintiffs claim Lincare was negligent for failing to implement “the most basic of safeguards and precautions,” such as training its employees how to identify phishing scams. The plaintiffs allege the HR employee failed to authenticate the validity of the request for W2 forms, instead just attaching the information and replying to the email.

In the lawsuit, the plaintiffs argue that had simple security measures been adopted by Lincare the breach could have been easily prevented. Those measures include the use of advanced spam filters, providing information security training to staff, implementing data security controls that prohibit employees having on-demand access to PII, adding multiple layers of computer system security and authentication, and ensuring PII was only sent in encrypted form.

The risk of the PII being used to commit fraud is not theoretical. The attacker has already used the stolen data to apply for credit and loans. The lawsuit points out that Lincare sent an email to staff on April 21 saying, “Current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education’s Free Application for Federal Student Aid.”

The question that the courts will need to answer is to what extent Lincare is liable for the attack, whether additional safeguards should have implemented and whether there was an implied agreement that the company would keep employee information secure.

The post Employees Sue Lincare Over W2 Phishing Attack appeared first on HIPAA Journal.

Termination for Nurse HIPAA Violation Upheld by Court

Posted by HIPAA Journal

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician.

Alleged Improper Disclosure of Sensitive Health Information

Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked and made sure appropriate diagnostic tools were available. Hereford also told the technician and the physician that they should wear gloves because the patient had hepatitis C.

After the procedure the patient filed a complaint, alleging Hereford had spoken sufficiently loudly so that other patients and medical staff in the vicinity would have heard that she had hepatitis C. While the complaint was investigated Hereford was placed on administrative leave, and was later terminated for the HIPAA violation – An unnecessary disclosure of confidential health information.

In her action for unfair dismissal, Hereford claimed this was an ‘incidental disclosure’, which is not a violation of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not occurred. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton filed a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to dismiss the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to wear gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Appeals Court Confirms Nurse HIPAA Violation

Hereford subsequently took her case to the Kentucky Court of Appeals. The Court of Appeals found that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

With respect to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – explaining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was told the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Penalties for Nurses?

HIPAA violation penalties for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are determined by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Penalty for Nurses

The maximum penalty for a single HIPAA violation is $50,000 per violation or per record, with an annual maximum of $1.5 million per violation category.

Serious violations of HIPAA Rules can warrant criminal charges for HIPAA violations, and in addition to financial penalties jail time is possible. Criminal violations of HIPAA Rules are handled by the U.S. Department of Justice.

Nurses who knowingly obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to one year in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years in jail.

When there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years

Nurse HIPAA Violation Cases

Listed below are some of the recent nurse HIPAA violation cases covered on HIPAA Journal.

Glendale Adventist Medical Center Nurse Fired for HIPAA Violation

Minnesota BCBS Nurse Accused of Unauthorized Accessing of Minnesota Board of Pharmacy Database

Virginia Nurse Charged with Bank Fraud and Identity Theft

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Minnesota Hospital Fires 32 Over HIPAA Violation

Employees Fired over Sharing of Degrading Photos of Patients on Snapchat

The post Termination for Nurse HIPAA Violation Upheld by Court appeared first on HIPAA Journal.

Former Nurse Convicted of Theft of Patient Information and Tax Fraud

Posted by HIPAA Journal

A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee.

41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals.

According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook.

The police investigation revealed that in 2011, Lawson-Brown used the stolen credentials to file fraudulent tax returns in the names of 105 individuals, including 24 patients of the nursing home. Lawson-Brown filed claims totaling more than $1 million. The IRS detected many of the claims as fraudulent, although $141,790 in tax refunds was issued by the IRS.

The refunds were deposited in multiple bank accounts controlled by Lawson-Brown and the funds were used to pay personal expenses, cover car repairs, and to pay off her mortgage.

Lawson-Brown will be sentenced on January 4, 2018. She faces a maximum jail term of 20 years for each count of wire fraud, 10 years for each count of theft of government funds and possession of unauthorized access devices, and an additional 2 years will be added to her sentence for aggravated identity theft.

U.S. Attorney for the Northern District of Florida, Christopher P. Canova, said, “This case illustrates the vulnerability of elderly and disabled persons.  Relatives and other caregivers should be alert to unauthorized tax returns, bank accounts, credit cards, and financial transactions, and should immediately report identity theft crimes to law enforcement agencies.”

The post Former Nurse Convicted of Theft of Patient Information and Tax Fraud appeared first on HIPAA Journal.

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

Posted by HIPAA Journal

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General.

In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect.

The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication.

The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers.

Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and requested the document be removed. Amazon in turn contacted SAManage USA to alert the firm to the breach. However, while an engineer was alerted to the SAManage USA data breach, the incident was not communicated to the appropriate personnel within the company.

The Vermont Security Breach Notice Act requires companies to alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was alerted to the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be notified, shortly after the Attorney General contacted SAManage USA about the breach.

It took almost two months for breach victims to be notified. Attorney General Donovan said that were it not for the intervention of his office, the breach would not have been reported.

SAManage USA has agreed to a $264,000 settlement to resolve the case and will adopt a robust corrective action plan, which includes implementing a comprehensive information security program to prevent further privacy breaches.

In a statement about the settlement, Attorney General Donovan said, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he explained that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”

The post Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement appeared first on HIPAA Journal.

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Posted by HIPAA Journal

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer.

St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form.

The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case.

St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement agreement with the patient whose HIV positive status was disclosed.

The patient, a man in his 30s identified as John Doe and represented by the Law Offices of Jeffrey Lichtman, is suing St. Luke’s Hospital for negligence and negligent infliction of emotional distress.

After completing the Authorization for Release of Medical Information and requesting the records were sent to a private mailbox, a fax was sent to the patient’s place of work. The medical records were seen by mailroom staff and were handed to the patient’s supervisor.

According to the suit, “The documents delivered to our client contained information on his HIV status and care, previous diagnoses for other sexually-transmitted diseases, history of physical abuse, sexual orientation information, mental health history, prescription drug information, and social security number.”

The patient was devastated by the disclosure. He was still coming to terms with his diagnosis and had not told most of his family and friends. The stress caused by knowing his coworkers were aware of his diagnosis forced him to quit his job and lose substantial health benefits and insurance.  The increased cost of medical insurance at his new job placed him under severe financial pressure, forcing him to discontinue seeing his therapist, who was helping him cope with the exposure of his health information.

According to the lawsuit, St. Luke’s Hospital accepted this was an egregious breach and “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein,” although no attempt was made to compensate the patient in any way for the error. The lawsuit seeks $2.5 million in damages.

This is not the only case of this nature to be filed in recent weeks. Recently, a mailing sent by a third-party vendor on behalf of Aetna resulted details of HIV medications being impermissibly disclosed. The information was visible through the clear plastic windows of envelopes. Up to 12,000 patients were affected by the error.

A lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., over the impermissible disclosure.

The post New York Hospital Sued for Disclosing Patient’s HIV Status to Employer appeared first on HIPAA Journal.

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

Posted by HIPAA Journal

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers.

Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach.

In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs.

CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the District of Columbia granted a stay of 90 days pending the filing of a Petition for a Writ of Certiorari with the United States Supreme Court, agreeing there was ‘good cause’ and that a “substantial question” needed to be answered.

In the motion CareFirst explained, “The Supreme Court has yet to examine the issue of standing in the context of a data breach case.”

CareFirst wants the case heard by the Supreme Court as it believes guidance is required by federal district and appellate courts to help them sort cases where a cognizable injury-in-fact has been sustained from those where plaintiffs are not able to allege real or immediate harm.

Federal district and appellate courts have struggled to reach consensus when the prospect of future injury as a result of a data breach constitutes a substantial risk of actual harm.

The motion reads, “The fact that reasoned jurists have come to differing conclusions on the standing of plaintiffs from this same data breach, let alone the differences in application of the principles of standing among other jurisdictions in different data breaches, suggests that there is a reasonable probability that four members of the Supreme Court would consider the underlying issue sufficiently meritorious for a grant of certiorari.”

CareFirst explained that if the district court proceeds with the case, “It will encourage others to bring suits following other data breaches without allegations of real and immediate harm.

The post CareFirst Data Breach Lawsuit May be Heading to the Supreme Court appeared first on HIPAA Journal.

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

Posted by HIPAA Journal

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach class action lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low.

To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016.

The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused.

Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years.

In total, 76 class actions were filed in 2016 as a result of data breaches. Bryan Cave points out that those lawsuits were clustered around the same breaches – High-profile data breaches affecting individuals throughout the country. Out of those 76 lawsuits, there were 27 unique defendants.

The report confirms that the healthcare industry reported the most data breaches of any industry – 70% of the total – yet only 34% of class action lawsuits name healthcare organizations as the defendants. Healthcare was the leading industry for class action data breach lawsuits (26 complaints), closely followed by email providers with 33%. The figures for email service providers was heavily influenced by the disclosure of two massive data breaches by Yahoo! Restaurants were in third place with 11% of the total followed by the retail industry with 7%. Healthcare data breach lawsuits fell slightly year over year.

Lawsuits are most commonly filed following the exposure or theft of sensitive information such as Social Security numbers, medical data, health insurance information, and security Q&As – 89% of class action lawsuits resulted from data breaches where these types of information were exposed or stolen. 65% of the lawsuits alleged negligence as the primary theory.

Data breach lawsuits are most commonly filed in the Northern District of California (32%), followed by the Middle District of Florida (11%), the District of Arizona (11%), and the Western District of Pennsylvania (7%).

The 2017 Data Breach Litigation Report can be found on this link.

The post Healthcare Industry Tops List for Class Action Data Breach Lawsuits appeared first on HIPAA Journal.