Legal News

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

Posted by HIPAA Journal

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status.

The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived.

In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years.

Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns.

In total, prosecutors alleged tax returns totaling around $536,000 were submitted to the IRS, although most of those returns were stopped and just $18,915 in refunds were issued.  Millender was sentenced to serve 2 years in prison after pleading guilty. Millender is not believed to have acted alone, but his suspected accomplice remains at large.

While there is no doubt that PHI was stolen and misused and losses were suffered as a direct result, there is some debate as to how many individuals have been impacted. Flowers hospital sent breach notification letters to 1,208 patients after discovering five files were missing, each of which were understood to contain the records of around 100 to 150 patients.

While patients were notified that they were potentially affected, Flowers Hospital only sent the letters to all of those patients ‘out of an abundance of caution’. Not all of those individuals have necessarily had their information stolen and misused. The breach report submitted to OCR indicates 629 individuals were impacted by the breach.

Earlier this week, Chief United States District Judge W. Keith Watkins awarded class action status to the lawsuit, even though it was unclear how many individuals were impacted. The plaintiffs had not shown how many punitive class members were affected, although it is probable that they will number in the hundreds. Judge Watkins said, “[Even if] the class is limited to the 73 victims identified in Millender’s plea agreement, the named plaintiffs have easily satisfied the numerosity requirement.”

Many data breach lawsuits ultimately fail as the plaintiffs are unable to demonstrate that losses have been suffered as a direct result of the theft or exposure of protected health information. In this case, the perpetrator was convicted and it is clear that at least some of the plaintiffs have suffered losses. How many of the class members will be able to demonstrate that harm has been suffered remains to be seen. The lawsuit alleges negligence, breach of contract, violation of the Fair Credit Reporting Act and an invasion of privacy, although the latter claims have now been dismissed.

It is possible that the Judge’s ruling may be challenged so there are potential hurdles ahead. If the lawsuit survives a challenge it will move to the discovery phase. Flowers Hospital/Triad of Alabama have not yet announced their next course of action.

The post Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status appeared first on HIPAA Journal.

Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

Posted by HIPAA Journal

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi.

The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data.

Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed.

The complainants maintain that the laptop computers were targeted by thieves who realized the value of data contained on the devices, rather than the computers being stolen for resale for their hardware value.

The plaintiffs claim that the disclosure, although accidental, placed them at “imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

The plaintiffs allege Horizon BCBS wilfully and negligently violated the Fair Credit Reporting Act (FCRA) – in addition to a number of state laws – by failing to adequately protect their personal information. The plaintiffs claim that the unauthorized transfer of personal information was a violation of FCRA and that the transfer, in itself, constitutes a cognizable injury.

The District Court dismissed the lawsuit under Federal Rule of Civil Procedure 12(b)(1) claiming a lack of Article III standing. However, the court of appeals judges ruled that even without evidence of misuse of the plaintiffs’ personal information, the case has standing.

According to U.S. Circuit Judge Kent Jordan , who wrote for the three-judge panel, “In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.” Judge Jordan explained, “the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).”

The post Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft appeared first on HIPAA Journal.