Legal News

CareFirst Can Be Sued for Breach, Rules Court of Appeals

Posted by HIPAA Journal

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen.

Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing.

The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud.

The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”

However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that point was their allegations were plausible and there was potential for future harm as a result of the breach.

The district court ruling was based on the fact that the plaintiffs had failed to establish how it would be possible for their identities to be stolen by the hackers if their Social Security numbers and/or credit card numbers were not stolen in the attack. CareFirst maintained that Social Security numbers and financial information were not compromised and were stored in a part of the network that was not compromised.

Court of Appeals Judge Thomas Griffith explained that the conclusion drawn by the district court “rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach.” However, while that was the opinion of CareFirst, it was not the opinion of the plaintiffs, who did include Social Security numbers and financial information in their description of the information that was stolen in the CareFirst cyberattack. That does not mean that those data elements were stolen, only that the plaintiffs alleged that Social Security numbers and financial data had been compromised.

The plaintiffs also alleged separately that the types of information which CareFirst said were compromised – email addresses, names, birth dates and CareFirst account numbers – may not be of use to an identity thief on their own, but did create “a material risk of identity theft.” The appeals court believed the claim was plausible and that the theft of such information could open the door to medical identity theft.

While medical identity theft would result in financial harm for the insurer, fraudulent claims against insurance policies could potentially cause harm to the plaintiffs. The fraudulent claims would go on their accounts and this could be held against the plaintiffs, disqualifying them from certain types of employment or preventing them from taking out life insurance. Social Security numbers would not be required for harm to be caused were that to be the case.

That is not the only lawsuit to be filed against CareFirst for the 2014 breach. In July last year, a case filed by two plaintiffs was similarly dismissed for lack of standing by a Maryland Court. The case was dismissed as the plaintiffs failed to demonstrate harm had been suffered. While it is possible to allege an injury based on future harm, the threatened injury must be impending to constitute an injury in fact. However, the judge ruled that “the injury is too speculative to be certainly impending.” While the decision was appealed, the case was voluntarily dropped by the plaintiffs.

The post CareFirst Can Be Sued for Breach, Rules Court of Appeals appeared first on HIPAA Journal.

Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings

Posted by HIPAA Journal

Last week, the United States Department of Justice announced the largest healthcare fraud action to date. 412 individuals were charged, including 115 doctors, nurses and other medical professionals for their roles in healthcare fraud schemes. 120 doctors and other medical professionals were charged for prescribing opioids and other dangerous narcotics. The HHS has also initiated suspension actions against 295 doctors, nurses and pharmacists.

The charges aggressively targeted individuals responsible for fraudulent Medicaid, Medicaid and TRICARE billings, although this year also saw a focus on doctors and other medical professionals that have been fueling the opioid epidemic by illegally distributing opioids and pother powerful narcotics. Approximately 91 Americans lose their lives each day due to opioid overdoses.

The bust was a joint operation by the Department of Justice, FBI, Medicaid Fraud Strike Force, DEA, U.S Attorney’s Office and the Department of Health and Human Services. A joint announcement about the bust was made by Attorney General Jeff Sessions and HHS Secretary Tom Price.

Healthcare fraud costs the taxpayer billions of dollars each year. The individuals involved in fraudulent billings are alleged to have obtained $1.3 billion. Price said, “The United States is home to the world’s best medical professionals, but their ability to provide affordable, high-quality care to their patients is jeopardized every time a criminal commits healthcare fraud.”

The takedown beats last year’s bust when 301 individuals were charged with fraudulently obtaining $900 million through Medicare and Medicaid billings. In 2015, federal authorities charged 243 individuals for fraudulently billing $712 million.

In the most part, the charges related to billings for treatments that were medically unnecessary and treatments that were billed but never provided. In many cases, kickbacks were paid to obtain beneficiary information to enable fraudulent claims to be submitted.

This year saw a large number of doctors charged for their roles in the schemes. According to the Department of Justice announcement, “Aggressively pursuing corrupt medical professionals not only has a deterrent effect on other medical professionals, but also ensures that their licenses can no longer be used to bilk the system.”

The takedown saw arrests across 41 districts although the state with the highest number of arrests was Florida. 77 individuals in South Florida were charged with offenses relating to various fraud schemes. Those schemes involved $141 million in fraudulent claims to Medicaid, Medicare and TRICARE. Two individuals were charged with fraudulently billing $58 million in fraudulent insurance claims for drug treatment services. Ten individuals in the Middle District of Florida were charged with fraud offenses that netted $14 million, with one individual defrauding the TRICARE program out of $4 million.

32 individuals from the Eastern District of Michigan were charged for offenses related to healthcare fraud, providing kickbacks, drug diversion and money laundering and for billing $218 million for unnecessary medical procedures and procedures that were never provided. One of the cases involved nine defendants, including six doctors, that were prescribing controlled substances that were subsequently sold on the street and $164 million was billed to Medicare for unnecessary procedures and procedures that were never provided.

26 individuals in the Southern District of Texas were charged, with their cases involving more than $66 million in fraudulent billing. One physician and clinic owner were charged for issuing medically unnecessary prescriptions of hydrocodone to patients. The clinic was seeing between 60-70 individuals each day and paying $300 in cash per visit.

17 individuals from the Central District of California were charged for defrauding Medicare out of $147 million, two of which were involved in a scheme that fraudulently charged $41.5 million to Medicare and a private insurer.

In Southern Louisiana, 7 individuals were charged in connection with $207 million in fraudulent billings and a pharmacist was charged with submitting and causing the submission of fraudulent and false claims to TRICARE for $192 million.

Price said, “The historic results of this year’s national takedown represent significant progress toward protecting the integrity and sustainability of Medicare and Medicaid, which we will continue to build upon in the years to come.”

The post Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings appeared first on HIPAA Journal.

Indiana Senate Passes New Law on Abandoned Medical Records

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.

Pair Charged with Identity Theft in Relation to WVU Medicine Breach

Posted by HIPAA Journal

A federal grand jury has charged a former healthcare worker and her accomplice with identity theft, aggravated identity theft, bank fraud and producing false documents, in connection with the theft of PHI from WVU Medicine University Healthcare.

Angela Dawn Roberts, 41, of Stephenson, VA had previously worked at WVU Medicine Berkley Medical Center, where she is alleged to have accessed the WVU Medicine University Healthcare database to obtain sensitive patient information in order to steal the identities of patients.

Court documents indicate names, addresses, dates of birth, Social Security numbers and driver’s license numbers were accessed and manually copied onto paper, with printouts of driver’s licenses also made. Angela Roberts is alleged to have disclosed the information to her accomplice, Ajarhi Savimi Roberts, 24, of Stephens City, VA.

Ajarhi Roberts used the information to open bank accounts and obtain credit cards in victims’ names and used the accounts to steal thousands of dollars. The crimes occurred between March 1, 2016, and Jan. 31, 2017.

The pair, who also used the names Angela Dawn Lee and Wayne Roberts, are alleged to have fraudulently obtained money from several banks including Bank of America, Barclay, Chase Bank, Discover and Wells Fargo. The pair are thought to have obtained at least $40,000 using the names and identities of WVU Medicine patients.

The 36-count indictment suggests the information of 10 patients was used for the crimes, although WVU Medicine University Healthcare has previously indicated the records of at least 113 patients had been accessed and stolen, while 7,445 breach notifications were mailed to patients as their protected health information had also potentially been accessed.

Prosecutors are seeking a monetary judgement of $13, 085.65. The paid both face a lengthy jail term if convicted of the crimes.

The post Pair Charged with Identity Theft in Relation to WVU Medicine Breach appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

Posted by HIPAA Journal

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

MDLive Privacy Lawsuit Voluntarily Dismissed

Posted by HIPAA Journal

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid.

The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy.

Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated.

MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data for the specific purposes for which the information was disclosed.

MDLive pointed out that the use of the Test Fairy tool was consistent with its disclosed privacy policy and said Test Fairy did not have access to patient data from patient-physician consultations. MDLive also said all members are advised in its privacy policy that personal information may be disclosed to its contracted third parties to support its business.

A recent press release issued by MDLive has confirmed the lawsuit has been dismissed “in response to arguments by MDLive that the suit lacked any legal or factual basis.” MDLive filed a motion to dismiss the lawsuit and the plaintiff responded with a notice of non-opposition, but requested additional time to file an amended complaint. However, as the deadline for filing the complaint approached, the plaintiff made the decision to dismiss the entire lawsuit.

In the press release, MDLive said all claims in the lawsuit have been voluntarily dismissed without prejudice by the plaintiff. There was no payment of any settlement or other consideration by MDLive or its management in connection with the lawsuit.

MDLive CEO Scott Decker said, “Privacy and patient confidentiality are at the heart of everything we do, and MDLIVE will continue to rigorously review and evolve our technology and processes to safeguard member information and build trust in the telehealth industry.” Decker welcomed the dismissal of the lawsuit, saying, “We are thrilled this lawsuit was appropriately dismissed as we continue pursuing MDLIVE’s goal of enabling 24/7/365 access to affordable virtual healthcare for consumers, employers, health plans and health systems across the US.”

The post MDLive Privacy Lawsuit Voluntarily Dismissed appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

Posted by HIPAA Journal

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients.

Patients are required to enter in a range of sensitive information into the MDLive app; however, during the first 15 minutes of use, the app takes screenshots of the data entered by users. According to the lawsuit, an average of 60 screenshots are taken during the first 15 minutes – the time it typically takes a user to register for an account. Those screenshots are then sent to an Israeli company called Test Fairy, which conducts quality control tests.

The lawsuit alleges patients are not informed that their information is disclosed to a third-party company. All data entered into the app can also be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data.

Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories, family medical histories and details of allergies. According to the lawsuit, the screenshots are “covertly” sent to Test Fairy “in near real time.”

The lawsuit suggests patients using the app are likely to assume their data will be kept confidential and that reasonable security measures will be employed to prevent disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”

The lawsuit was filed by the Illinois law firm Edelson PC with app user Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.

Edelson PC attorney Chris Dore said, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”

MDLive says the lawsuit is “baseless,” that no data breach has occurred, HIPAA Rules have not been violated, and any data entered into the app is safe. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any information disclosed is only used for the purpose for which that disclosure is made.

MDLive is seeking to have the lawsuit dismissed.

The post MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations appeared first on HIPAA Journal.