Legal News

Supreme Court Ruling Narrows Reach of Identity Theft Law

Posted by Steve Alder

The Supreme Court has ruled against the government, which means federal prosecutors will have to curb identity theft charges and restrict them to cases where the misuse of another person’s identification is the crux of the criminal offense, rather than the current broad interpretation that allows identity theft charges for fraudulent billing, where the use of another person’s identification is merely an ancillary feature of a billing method.

Aggravated identity theft carries a mandatory jail term of 2 years in addition to any sentence for the predicate felony. Prior to the Supreme Court ruling, there was no distinction between an identity thief stealing an individual’s identity and running up huge debts, a lawyer rounding up bills and only charging full hours, a waitress overcharging customers, and a doctor overbilling Medicaid. The Supreme Court decision related to the latter.

William and David Dubin are father and son psychologists who ran a mental health testing company called Psychological ARTs. In 2013, David Dubin was examining a patient when he was informed by his father that the patient’s Medicaid benefits had been exhausted and cut the evaluation short. David Dubin then instructed an employee to file a reimbursement claim to Medicaid that included the patient’s name and Medicaid ID, resulting in the canceled examination qualifying for payment. That fraudulent claim resulted in a payment of $338.

In 2017, federal prosecutors indicted William and David Dubin on 20 counts related to the overbilling of Medicaid, which included 6 counts of aggravated identity theft and resulted in the practice receiving around $300,000 in fraudulent reimbursements. In 2019, David Dubin was sentenced to one year in jail for submitting inflated bills and 2 years for aggravated identity theft, with the sentences to run consecutively. Dubin’s legal team appealed but the U.S. Court of Appeals for the 5th Circuit upheld the identity theft conviction, as under the broad interpretation of the law, it is a felony to use another person’s identity without lawful authority, and David Dubin used patient’s names and Medicaid ID numbers to submit exaggerated claims. The Supreme Court unanimously ruled that it could not support “such a boundless interpretation” of the Identity Theft Penalty Enhancement Act of 2004.

Prosecutors argued that while the context of the fraud in Dubin’s case was relatively small, it was the correct reading of the statute and that the flat two-year jail term should stand regardless of the scale of the fraud. Under the letter of the law, small-scale fraud and large-scale fraud carry the same sentence for aggravated identity theft. The Supreme Court disagreed.

“Patient names or other identifiers will, of course, be involved in the great majority of healthcare billing, whether Medicare for massages, or for ambulance stretcher services,” said Justice Sonia Sotomayor in the ruling. “Patient names will be on prescriptions, and patients committing fraud on their own behalf will often have to include the names of others on their forms, such as doctors or employers. Under the Government’s own reading, such cases are ‘automatically identity theft,’ independent of whether the name itself had anything to do with the fraudulent aspect of the offense.” She also pointed out that if she sided with the government then the same interpretation could even be applied to mail fraud, where using another person’s name to address a letter to them could similarly be classed as aggravated identity theft and would be punishable with a 2-year mandatory jail term. Dubin’s attorney, Jeffrey Fisher, said the same 2-year jail term could also be imposed on any person who submits a form on behalf of another person that contains a misrepresentation.

“Whoever among you is not an ‘aggravated identity thief,’ let him cast the first stone,” said Justice Neil Gorsuch, concurring with the court’s decision that siding with the 5th Circuit would potentially lead to broad prosecutions in cases involving another person’s identity. “Depending on how you squint your eyes, you can stretch (or shrink) [the Identity Theft Penalty Enhancement Act] meaning to convict (or exonerate) just about anyone,” wrote Gorsuch, potentially putting “every bill splitter who has overcharged a friend using a mobile-payment service like Venmo,” at risk of a 2-year jail term, suggesting the law is vague to the point where it is not much better than a Rorschach test. “The statute fails to provide even rudimentary notice of what it does and does not criminalize,” wrote Gorsuch.

The post Supreme Court Ruling Narrows Reach of Identity Theft Law appeared first on HIPAA Journal.

FTC Files Amended Complaint Against Kochava for Selling Geolocation Data

Posted by Steve Alder

In August last year, the Federal Trade Commission (FTC) took legal action against the mobile data broker Kochava alleging the Idaho company had violated consumer privacy and put consumers at risk by selling geolocation data from their mobile phones, which was tied to each individual through the unique ID of their mobile device.

The FTC claimed Kochava sold the data from hundreds of millions of devices which could reveal that consumers had visited sensitive locations such as abortion clinics, mental health clinics, places of worship, and other sensitive locations. Since the information was tied to a user’s mobile device, companies that used Kochava’s data feeds would be able to identify and track specific mobile devices. As an example, the FTC claimed that individuals visiting reproductive health clinics for abortions could be identified, along with the medical professionals that provided those services, and those individuals could be exposed to stigma, discrimination, physical violence, emotional distress, prosecution, or other harms.

On May 4, 2023, a federal District Court Judge dismissed the complaint as the FTC failed to allege that consumers had been put at significant risk of harm, but left the door open for the FTC to continue with its legal action by allowing an amended complaint to be filed within 30 days. The FTC has now filed an amended complaint against Kochava that includes additional facts to support its allegations that Kochava engaged in unfair practices that violated the FTC Act and put consumers at significant risk of harm. The amended complaint includes new factual allegations that the FTC says are based, in part, on materials provided by Kochava in response to its Civil Investigative Demand.

The FTC has filed a motion to temporarily file the amended complaint under seal, as while the FTC does not believe any of the information detailed in the amended complaint reveals any trade secrets or other material that it believes should be subject to confidential treatment, the FTC anticipates Kochava may object to the public disclosure of that material. When the material was provided to the FTC, Kochava marked it as ‘proprietary’ and ‘highly confidential’. The FTC said it is acting “out of an abundance of caution,” and in accordance with internal rules covering the disclosure of proprietary and trade secret information by requesting the complaint be sealed until such point that the court decides that the material is not subject to confidential treatment.

Kochava sought to have the initial complaint dismissed and is expected to file a motion to also have the FTC’s amended complaint dismissed. Kochava continues to maintain the company has proactively complied with all appropriate laws and has not violated consumer privacy.

The post FTC Files Amended Complaint Against Kochava for Selling Geolocation Data appeared first on HIPAA Journal.

Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit

Posted by Steve Alder

Acuity International (formerly known as Comprehensive Health Services, LLC / CHS, LLC), a provider of medical management support services, has agreed to a settlement to resolve a class action lawsuit that was filed in response to a 2020 cyberattack and data breach that impacted 106,910 individuals.

Suspicious activity was detected within the systems of Comprehensive Health Services on September 30, 2020, following the discovery of fraudulent wire transfers; however, it took until November 3, 2022, to determine that personal and protected health information had been compromised in the incident, including names, dates of birth, and Social Security numbers. Affected individuals were notified about the breach on January 20, 2022, and February 14, 2022.

On April 4, 2022, a lawsuit – Arbuthnot v. CHS, LLC – was filed in the US District Court for the Middle District of Florida in response to the breach that alleged a failure to protect sensitive data against unauthorized access, violations of the HIPAA Security Rule, and unreasonable delay of more than 16 months to inform individuals that their personal and protected health information had been compromised. As a result of the alleged negligence, plaintiff Shannon Arbuthnot and the class members claim they suffered harm and incurred out-of-pocket expenses dealing with the breach and protecting themselves against misuse of their information.

A settlement was proposed in February 2023 to resolve the lawsuit that has now been finalized, pending final approval by a judge. Acuity maintains there was no wrongdoing and proposed the settlement to avoid the cost, disruption, and distraction of further litigation. The settlement has been approved by Acuity, the class representative, and their legal teams, and is believed to be fair, reasonable, and adequate.

Under the terms of the settlement, individuals who were notified that they had been impacted by the data breach can submit a claim for compensation for ordinary out-of-pocket losses and lost time up to a maximum of $500 per class member, which can include up to 3 hours of lost time at $20 per hour. The claim can include documented losses due to bank fees, phone charges, data charges, postage, costs of credit reports, and any credit monitoring or identity theft protection services purchased between September 30, 2020, and the date of the settlement.

Individuals who were victims of documented identity theft that is reasonably traceable to the data breach are entitled to submit a claim for compensation for extraordinary losses up to a maximum of $3,500 per class member. Extraordinary losses include actual, documented, and unreimbursed monetary losses incurred between September 30, 2020, and the date of the settlement that were more likely than not due to the data breach. In addition, Acuity will cover the cost of two years of credit monitoring services for all class members.

In addition to reimbursing class members for expenses and losses, Acuity has agreed to make security improvements to reduce the risk of future data breaches, many of which have already been implemented. The deadline for exclusion from or objection to the settlement is July 5, 2023, the deadline for submitting a claim is August 3, 2023, and the final approval hearing has been scheduled for August 11, 2023.

The plaintiff was represented by Jon Kardassakis of Lewis Brisbois Bisgaard & Smith, LLP, and the class was represented by John A Yanchunis of Morgan & Morgan and David K Lietz of Milberg Coleman Bryson Phillips Grossman PLLC.

The post Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit appeared first on HIPAA Journal.

Mistrial Declared in Criminal HIPAA Prosecution of Couple Who Disclosed PHI to Undercover FBI Agent

Posted by Steve Alder

The prosecution of two doctors accused of criminal HIPAA violations and conspiring with the Russian government has ended in a mistrial as the jury could not reach a unanimous guilty verdict. Dr. Anna Gabrielian. 37, a former anesthesiologist at Johns Hopkins, and her spouse, Jamie Lee Henry, 40, a doctor and U.S. Army Major previously stationed at Fort Bragg, were indicted on September 28, 2022, and charged with conspiracy to assist Russia with its invasion of Ukraine and criminal HIPAA violations for wrongfully disclosing the personally identifiable health information of individuals to someone they believed to be a Russian agent.

In an eight-count indictment, the couple was alleged to have conspired to cause harm to the United States by providing the sensitive information of U.S. citizens associated with the U.S. government and military to Russia. The disclosures started on August 17, 2022, when information was passed to an individual who they believed to be a Russian agent. The disclosures served as confirmation of Henry’s secret-level security clearance and the couple’s willingness to work with a Russian operative and provide medical information that could potentially be exploited by the Russian government.

Gabrielian had sent an email from her work email account to the Russian embassy offering medical collaboration and humanitarian aid to Russia in response to the war with Ukraine. The message was obtained by the FBI, which sent an undercover agent posing as a Russian operative to meet with Gabrielian. In the meeting, Gabrielian told the agent that her husband was a more important source for Russia as he had access to more valuable information, then arranged to meet with the undercover agent with her husband.

The undercover agent recorded over 5 hours of conversations over the series of meetings in which the couple claimed they wanted to help Russia. Henry admitted that he had attempted to sign up as a volunteer in the Russian Army but was turned down due to his lack of combat experience. Henry agreed to provide the medical records of Fort Bragg patients to the agent. In a subsequent meeting, Gabrielian provided the agent with the health information of two individuals, including the spouse of an employee of the Office of Naval Intelligence, whom Gabrielian pointed out had a medical condition Russia could exploit. Henry provided information on five individuals who were military veterans or related to military veterans. The couple faced a maximum sentence of 10 years in jail for the criminal HIPAA violation – accessing and disclosing medical records without authorization – and a maximum of 5 years in jail for the conspiracy charge.

At the trial, Gabrielian testified that she disclosed the information because she feared for her life and the lives of her family in the United States and Russia if she did not cooperate. She also testified that she saw the camera worn by the agent and asked if she was being recorded, which led to her believing she was in danger. She claimed that she provided two records to the agent as a test of loyalty, but thought the two records would be useless to the Russian government, as were the records disclosed by Henry.

The legal team for the doctors argued that while the agent did not overtly threaten them, and only implied that they worked for the KGB, the doctors were fearful of what would happen if they said no to a KGB operative and said their intention was only to help heal the sick and treat the wounded, arguing that this was a crime created by the U.S. government. The prosecution argued that the two doctors wanted to be long-term weapons for Russia and there was no merit to the claims they were entrapped by the FBI.

After two and a half days of deliberation, the jury told U.S. District Court Judge, Stephanie Gallagher, that they were unable to reach a unanimous verdict because one juror believed the doctors were entrapped by the FBI, leaving Gallagher with no option other than to declare a mistrial. The U.S. Attorney’s Office has confirmed that it will seek a retrial.

The post Mistrial Declared in Criminal HIPAA Prosecution of Couple Who Disclosed PHI to Undercover FBI Agent appeared first on HIPAA Journal.

City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack

Posted by Steve Alder

Multiple class action lawsuits have been filed against the city of Oakland in California over a ransomware attack and data breach that involved the theft of the personal and protected health information of 13,000 current and former employees. The ransomware attack was detected on February 8, 2023, and forced the city to shut down its systems to contain the attack, resulting in a state of emergency being declared in the city. Systems remained offline for weeks due to the attack, with the recovery process taking months.

The Play ransomware group took credit for the attack and started leaking some of the stolen data to pressure the city into paying the ransom. Initially, 10 gigabytes of stolen data was released on the group’s dark web data leak site, followed by a massive data dump of 600 gigabytes when the city continued to refuse to pay the ransom. The leaked data included the personal information of individuals employed by the city between July 2010 and January 2022. The ransomware attack is understood to have started with phishing emails.

Multiple class action lawsuits have been filed against the city on behalf of victims of the data breach that allege the city failed to implement appropriate security measures to keep employees’ private information confidential, with several victims of the breach claiming they have had their identities stolen and have experienced credit card fraud. The city has offered complimentary credit monitoring services to affected employees and has started to improve security, including implementing a training program for the workforce to improve resilience to phishing attempts.

A lawsuit was filed by the Oakland police officers’ union that alleges the city failed to provide important information about the extent of the incident and the types of data stolen in the attack and seeks monetary compensation and extended credit monitoring and identity theft protection and restoration services. Another lawsuit names Hada Gonzalez as lead plaintiff, a police services technician, who alleges the city was negligent for failing to protect against the attack. The lawsuit alleges data breach notification failures and violations of the HIPAA Security Rule. As a result of the negligence, the plaintiffs and class members claim they have suffered ongoing, imminent, and impending threats of fraud, identity theft, and abuse of their data, resulting in monetary losses and economic harm. The lawsuit seeks an award of damages and injunctive relief, including the requirement for the city to maintain a comprehensive information security program, encrypt sensitive data, undergo third-party security audits, establish an information security training program, and implement other security measures.

The post City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack appeared first on HIPAA Journal.

State Legislature Passes Texas Data Privacy and Security Act

Posted by Steve Alder

The Texas legislature has passed the Texas Data Privacy and Security Act, which will now head to the desk of the state governor, Greg Abbott, who is expected to sign the Act into law. Comprehensive data privacy laws are already in effect in California and Virginia, and Colorado, Connecticut, and Utah will see their data privacy laws start to be enforced later this year. Data privacy laws have also been passed in Indiana, Iowa, Florida, Montana, Tennessee, and Washington this year.

The Texas Data Privacy and Security Act adopts a broad definition of personal data, which is any information that is linkable or reasonably linkable to an individual, including pseudonymous information that could be combined with other information to allow an individual to be identified. The law will apply to any person that conducts business in the state of Texas that provides products or services that are consumed by Texas residents that process or engage in the sale of personal data. ‘Sale’ covers disclosures of personal data for monetary gain or other valuable consideration.

No threshold has been set for company revenue or minimum data processing levels; however, small businesses, as defined by the United States Small Business Administration, are exempt but are required to obtain consent before selling the sensitive data of Texas residents. Compliance with the Texas Data Privacy and Security Act will not be required by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA), nor non-profits and higher education institutions.

Data controllers will be required to obtain consent before processing a consumer’s sensitive data, which is any data that reveals an individual’s racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexuality, or citizenship/immigration status, as well as genetic/biometric data processed to identify individuals, personal data collected from a known child, and precise geolocation data (within a 1,750 ft. radius). The sale of sensitive data is only permitted if consumers are specifically told sensitive data will be sold in the organization’s privacy notice. Organizations are prohibited from obtaining consent using ‘dark patterns’ – The manipulation of individuals into providing consent, such as by impairing user autonomy, decision-making, or choice.

The Texas Data Privacy and Security Act will give consumers new rights over their personal information:

  • The right to confirm if a data controller is processing their personal data and to access that data
  • The right to correct inaccuracies in their personal data
  • The right to have personal data deleted
  • The right to obtain a portable copy of their personal data
  • The right to opt-out of processing for (a) targeted advertising, (b) the sale of their personal data, and (c) automated profiling.

All data controllers are required to conduct data protection assessments of processing activities that involve the sale of personal data, targeted advertising, profiling, sensitive information, or any activity that carries a heightened risk of harm to consumers.

The Texas Attorney General will enforce compliance, although data controllers and processors will be allowed to cure any violation within 30 days. If corrective action is not taken within 30 days, civil monetary penalties can be imposed of up to $7,500 per violation plus reasonable attorneys’ fees and expenses. If signed into law, the majority of the provisions of the Texas Data Privacy and Security Act will have a compliance date of March 1, 2024. Compliance with the out-out provisions will not become enforceable until January 1, 2025.

The post State Legislature Passes Texas Data Privacy and Security Act appeared first on HIPAA Journal.

Amazon & FTC Agree $25 Million Settlement to Resolve Alleged FTC Act and COPPA Violations

Posted by Steve Alder

The Federal Trade Commission (FTC) has agreed to settle a complaint against Amazon that alleged violations of the FTC Act, the Children’s Online Privacy Protection Act (COPPA), and the FTC’s Children’s Online Privacy Protection Rule with respect to its Alexa voice assistant products. According to the complaint, the retail giant misrepresented that it would delete voice transcripts and geolocation information of users upon request, limit employee access to Alexa users’ voice assistant data, and delete the personal information of children as requested by their parents. The FTC also alleged Alazon was retaining the personal information of children for longer than was reasonably necessary to satisfy the purpose for which the information was collected.

According to the FTC complaint, the default settings of the Alexa voice assistant stored voice recordings and transcripts indefinitely, including those of children, even when profiles were no longer used and had been inactive for years. Prior to the middle of 2019, Amazon claimed it would delete written transcriptions of interactions between children and Alexa in response to deletion requests by parents yet failed to do so, and for 13 months until September 2019, Amazon is alleged to have made Alexa recordings available to 30,000 employees, even though around half of those employees did not require access to the recordings for any business purpose. In addition, from January 2018 to early 2022, the geolocation data of Alexa app users in secondary locations was retained and was not deleted per data deletion requests.

Amazon did not agree with the FTC’s claims and maintains it has very strong privacy protections in place; however, chose to settle the complaint with the FTC with no admission of wrongdoing. The settlement, which has yet to be approved by a federal judge, will see Amazon pay a financial penalty of $25 million to resolve the complaint and implement a number of measures to ensure the privacy of children and other Alexa users.

Those measures include a commitment to delete the personal information of children when child profiles have been inactive for 90 days unless a request is received from the child’s parent or legal guardian to retain that information, or if the account becomes active again within that 90-day period. Amazon will ensure that when data deletion requests are received, all geolocation information and voice information will be fully deleted from the Alexa App, that all personal information collected from a child will be deleted in response to a request from the child’s parent, and that after processing the deletion of geolocation information, voice information and children’s personal information from the app will not subsequently be used for the creation or improvement of any data product.

Amazon is also required to clearly and conspicuously notify users about why geolocation information is collected and used, inform them about how they can request their data be deleted, and Amazon must establish, implement, and maintain a privacy program to protect the privacy of Alexa App geolocation information. The order also prohibits Amazon from making misrepresentations about the privacy of geolocation and voice information.

The post Amazon & FTC Agree $25 Million Settlement to Resolve Alleged FTC Act and COPPA Violations appeared first on HIPAA Journal.

Florida Bans Offshore Storage of Electronic Health Records

Posted by Steve Alder

In May 2023, the Florida Legislature passed an update to the Florida Electronic Health Records Exchange Act that prohibits healthcare providers that use certified health record technologies from storing electronic health records outside the United States, its territories, or Canada. The ban also covers patient information stored through a third-party or subcontracted computing facility or cloud computing service, which must similarly maintain the data in the continental United States, its territories, or Canada. When the ban takes effect it will no longer be possible to use overseas vendors that require access to patient information as the update also bans the access, retrieval, and transmission of patient data from locations outside the United States, its territories, or Canada. All healthcare providers covered by the Florida Electronic Health Records Exchange Act must comply with the updated law by July 1, 2023.

“Certified electronic health record technology” is defined as “a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act, which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.”

“Qualified electronic health record” is defined as “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.”

Covered healthcare providers include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and licensed healthcare providers such as physicians, nurses, dentists, therapists, podiatrists, and massage therapists.

Healthcare providers should conduct an audit to confirm the locations where health records are stored to ensure that they are compliant. If a cloud vendor is used to store patient information, data centers must be located in the specified regions. If contracted third parties are used to provide support services such as managed service providers, IT support companies, scheduling support providers, and other vendors, they, along with any subcontractors they use, should be prohibited from storing or accessing patient information outside of the United States, its territories, or Canada.

If the audit confirms patient data is stored in or is accessed from prohibited locations, steps should be taken immediately to move patient data to a compliant storage location and restrict access from unauthorized locations ahead of the compliance deadline.

The post Florida Bans Offshore Storage of Electronic Health Records appeared first on HIPAA Journal.

Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case

Posted by Steve Alder

An Arizona man has been sentenced to 54 months in jail for aggravated identity theft and criminal violations of the Health Insurance Portability and Accountability Act (HIPAA).  Rico Prunty, 41 years old, of Sierra Vista, Arizona, was previously employed at an Arizona medical facility where he unlawfully accessed the medical intake forms of patients between July 2014 and May 2017. The intake forms included information protected under HIPAA such as names, dates of birth, addresses, employer information, social security numbers, diagnoses, and medical information.

He then provided that information to his co-conspirators – Vincent Prunty, Temika Coleman, and Gemico Childress – who used the stolen information to open credit card accounts in the victims’ names. Federal prosecutors investigating the identity theft raided an apartment linked to the suspects and found evidence of the manufacture of credit cards and the opening of fraudulent accounts in victims’ names. Prunty and his co-conspirators attempted to steal more than $181,000 from the victims.

According to court documents, the protected health information of almost 500 patients was accessed without authorization, and their information was impermissibly disclosed to Prunty’s co-conspirators. Rico Prunty pleaded guilty to aggravated identity theft and criminal HIPAA violations for accessing and disclosing patients’ protected health information. The HIPAA violations carried a maximum jail term of 10 years, and aggravated identity has a mandatory sentence of 2 years, which runs consecutively to sentences for other felony crimes. Senior U.S. District Court Judge James Moody imposed a sentence of 54 months with 2 years of supervised release and Prunty was ordered to pay $132,521.98 in restitution to the victims.

His co-conspirators have already been sentenced for their roles in the identity theft scheme. Vincent Prunty pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 154 months, Gemico Childress pleaded guilty to wire fraud and aggravated identity theft and was sentenced to 134 months, and Temika Coleman pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 121 months. They were also ordered to pay $181,835.77 in restitution and will each have 2 years of supervised release.

The post Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case appeared first on HIPAA Journal.