Legal News

Pair Charged with Identity Theft in Relation to WVU Medicine Breach

Posted by HIPAA Journal

A federal grand jury has charged a former healthcare worker and her accomplice with identity theft, aggravated identity theft, bank fraud and producing false documents, in connection with the theft of PHI from WVU Medicine University Healthcare.

Angela Dawn Roberts, 41, of Stephenson, VA had previously worked at WVU Medicine Berkley Medical Center, where she is alleged to have accessed the WVU Medicine University Healthcare database to obtain sensitive patient information in order to steal the identities of patients.

Court documents indicate names, addresses, dates of birth, Social Security numbers and driver’s license numbers were accessed and manually copied onto paper, with printouts of driver’s licenses also made. Angela Roberts is alleged to have disclosed the information to her accomplice, Ajarhi Savimi Roberts, 24, of Stephens City, VA.

Ajarhi Roberts used the information to open bank accounts and obtain credit cards in victims’ names and used the accounts to steal thousands of dollars. The crimes occurred between March 1, 2016, and Jan. 31, 2017.

The pair, who also used the names Angela Dawn Lee and Wayne Roberts, are alleged to have fraudulently obtained money from several banks including Bank of America, Barclay, Chase Bank, Discover and Wells Fargo. The pair are thought to have obtained at least $40,000 using the names and identities of WVU Medicine patients.

The 36-count indictment suggests the information of 10 patients was used for the crimes, although WVU Medicine University Healthcare has previously indicated the records of at least 113 patients had been accessed and stolen, while 7,445 breach notifications were mailed to patients as their protected health information had also potentially been accessed.

Prosecutors are seeking a monetary judgement of $13, 085.65. The paid both face a lengthy jail term if convicted of the crimes.

The post Pair Charged with Identity Theft in Relation to WVU Medicine Breach appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

Posted by HIPAA Journal

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

MDLive Privacy Lawsuit Voluntarily Dismissed

Posted by HIPAA Journal

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid.

The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy.

Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated.

MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data for the specific purposes for which the information was disclosed.

MDLive pointed out that the use of the Test Fairy tool was consistent with its disclosed privacy policy and said Test Fairy did not have access to patient data from patient-physician consultations. MDLive also said all members are advised in its privacy policy that personal information may be disclosed to its contracted third parties to support its business.

A recent press release issued by MDLive has confirmed the lawsuit has been dismissed “in response to arguments by MDLive that the suit lacked any legal or factual basis.” MDLive filed a motion to dismiss the lawsuit and the plaintiff responded with a notice of non-opposition, but requested additional time to file an amended complaint. However, as the deadline for filing the complaint approached, the plaintiff made the decision to dismiss the entire lawsuit.

In the press release, MDLive said all claims in the lawsuit have been voluntarily dismissed without prejudice by the plaintiff. There was no payment of any settlement or other consideration by MDLive or its management in connection with the lawsuit.

MDLive CEO Scott Decker said, “Privacy and patient confidentiality are at the heart of everything we do, and MDLIVE will continue to rigorously review and evolve our technology and processes to safeguard member information and build trust in the telehealth industry.” Decker welcomed the dismissal of the lawsuit, saying, “We are thrilled this lawsuit was appropriately dismissed as we continue pursuing MDLIVE’s goal of enabling 24/7/365 access to affordable virtual healthcare for consumers, employers, health plans and health systems across the US.”

The post MDLive Privacy Lawsuit Voluntarily Dismissed appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

Posted by HIPAA Journal

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients.

Patients are required to enter in a range of sensitive information into the MDLive app; however, during the first 15 minutes of use, the app takes screenshots of the data entered by users. According to the lawsuit, an average of 60 screenshots are taken during the first 15 minutes – the time it typically takes a user to register for an account. Those screenshots are then sent to an Israeli company called Test Fairy, which conducts quality control tests.

The lawsuit alleges patients are not informed that their information is disclosed to a third-party company. All data entered into the app can also be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data.

Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories, family medical histories and details of allergies. According to the lawsuit, the screenshots are “covertly” sent to Test Fairy “in near real time.”

The lawsuit suggests patients using the app are likely to assume their data will be kept confidential and that reasonable security measures will be employed to prevent disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”

The lawsuit was filed by the Illinois law firm Edelson PC with app user Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.

Edelson PC attorney Chris Dore said, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”

MDLive says the lawsuit is “baseless,” that no data breach has occurred, HIPAA Rules have not been violated, and any data entered into the app is safe. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any information disclosed is only used for the purpose for which that disclosure is made.

MDLive is seeking to have the lawsuit dismissed.

The post MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

Posted by HIPAA Journal

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status.

The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived.

In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years.

Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns.

In total, prosecutors alleged tax returns totaling around $536,000 were submitted to the IRS, although most of those returns were stopped and just $18,915 in refunds were issued.  Millender was sentenced to serve 2 years in prison after pleading guilty. Millender is not believed to have acted alone, but his suspected accomplice remains at large.

While there is no doubt that PHI was stolen and misused and losses were suffered as a direct result, there is some debate as to how many individuals have been impacted. Flowers hospital sent breach notification letters to 1,208 patients after discovering five files were missing, each of which were understood to contain the records of around 100 to 150 patients.

While patients were notified that they were potentially affected, Flowers Hospital only sent the letters to all of those patients ‘out of an abundance of caution’. Not all of those individuals have necessarily had their information stolen and misused. The breach report submitted to OCR indicates 629 individuals were impacted by the breach.

Earlier this week, Chief United States District Judge W. Keith Watkins awarded class action status to the lawsuit, even though it was unclear how many individuals were impacted. The plaintiffs had not shown how many punitive class members were affected, although it is probable that they will number in the hundreds. Judge Watkins said, “[Even if] the class is limited to the 73 victims identified in Millender’s plea agreement, the named plaintiffs have easily satisfied the numerosity requirement.”

Many data breach lawsuits ultimately fail as the plaintiffs are unable to demonstrate that losses have been suffered as a direct result of the theft or exposure of protected health information. In this case, the perpetrator was convicted and it is clear that at least some of the plaintiffs have suffered losses. How many of the class members will be able to demonstrate that harm has been suffered remains to be seen. The lawsuit alleges negligence, breach of contract, violation of the Fair Credit Reporting Act and an invasion of privacy, although the latter claims have now been dismissed.

It is possible that the Judge’s ruling may be challenged so there are potential hurdles ahead. If the lawsuit survives a challenge it will move to the discovery phase. Flowers Hospital/Triad of Alabama have not yet announced their next course of action.

The post Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status appeared first on HIPAA Journal.