Dr. Caitlin Bernard, an Indianapolis, IN-based obstetrician-gynecologist has been fined $3,000 by the Medical Licensing Board of Indiana and issued with a letter of reprimand for violating HIPAA and state privacy law after talking to the media about an abortion she provided to a 10-year-old rape victim on July 1, 2022.

Within hours of the Supreme Court’s decision that overturned Roe v Wade and removed the federal right to an abortion, Ohio banned abortions after 6 weeks of pregnancy. Three days later, on June 27, 2022, Dr. Bernard received a call from a child abuse doctor in Ohio about a 10-year-old patient who could not legally have an abortion in Ohio as she was three days past the legal cutoff. The victim then traveled from her home state of Ohio to Indiana to have the procedure performed by Dr. Bernard.

A reporter for the IndyStar overheard a conversation between Dr. Bernard and another doctor at an anti-abortion rally and approached Dr. Bernard and asked for comment. The IndyStar ran a story about the girl and the reduction of access to abortions following the Supreme Court’s decision, and the story rapidly became national news. The case was also referenced on multiple occasions by President Biden. Following the publication of the story, Dr. Bernard provided further statements to the media, was interviewed on national TV networks, and was featured in various media articles, in which Dr. Bernard highlighted the real-world impact of the change to federal law on abortions. In those media interviews, Dr. Bernard confirmed that she had performed an abortion procedure on a 10-year-old patient, but did not disclose the name of the patient.

Shortly after the publication of the IndyStar story, Indiana Attorney General Todd Rokita confirmed in a Fox News interview that Dr. Bernard would be investigated. Rokita filed an administrative complaint with the Medical Licensing Board of Indiana alleging Dr. Bernard had violated HIPAA and state law by failing to get written authorization to release patient information, and that Dr. Bernard had failed to immediately report suspected child abuse to local law enforcement in Indianapolis or the Indiana Department of Children Services. Rokita claimed that Dr. Bernard learned about possible child abuse on June 27, 2022, in a telephone call, yet failed to report it until July 2, 2022, the day after the procedure was performed. As such, the child was returned to the custody of the alleged rapist, where she remained until July 6, 2022. Law enforcement later confirmed, with a 99.99% probability, that the rapist was the child’s biological father, who was charged with two counts of rape in July 2022.

In a Medical Licencing Board hearing on Thursday, Dr. Bernard’s attorney explained that Dr. Bernard told an IU Health social worker about the case on the same day she received the initial call about the patient, and that discussion was in line with IU Health’s policies. She also confirmed that the abuse was reported on an Indiana state form and that the abuse had already been reported in Ohio where the abuse took place. The IU Health social worker testified that she reported the abuse in Ohio per IU Health policies, as that was where the abuse occurred. Dr. Bernard also confirmed with child protection staffers in Ohio that it was safe for the child to leave with her mother and testified that she did not violate state or federal privacy laws as she did not disclose any identifying information about the patient.

At the hearing, Deputy Attorney General Cory Voight asked Dr. Bernard why she had disclosed information about a real patient, rather than providing a hypothetical situation in her media interviews. “I think that it’s incredibly important for people to understand the real-world impacts of the laws of this country about abortion,” said Dr. Bernard in response. “I think it’s important for people to know what patients will have to go through because of legislation that is being passed, and a hypothetical does not make that impact.”

Andrew Mahler, a former official at the HHS’ Office for Civil Rights was an expert witness for the state and testified that the disclosures made by Dr. Bernard violated HIPAA, as it was certainly possible that the information disclosed by Dr. Bernard – age, state, and gender – would allow the girl to be identified. Paige Jayner, a privacy compliance officer and former OCR auditor, was a witness for the defense and disagreed with Mahler’s view, testifying that the information Dr. Bernard disclosed was not protected health information and that the disclosure was not a HIPAA violation. IU Health agreed and did not believe the HIPAA Rules had been violated. At the hearing, Dr. Bernard defended her right to speak to the media about medical issues when it is in the public interest and her attorney confirmed that there are no laws that prohibit physicians from speaking with the media.

Dr. John Strobel, President of the Medical Licensing Board believed Dr. Bernard disclosed too much information to the IndyStar reporter about the pending abortion and said consent should have been obtained before any information was disclosed. The majority decision of the Medical Licensing Board was the disclosures violated state and federal privacy laws and Dr. Bernard received a $1,000 fine for each of the three privacy violation counts. The Medical Licensing Board found the state had failed to meet the burden for the other two counts on reporting the child abuse and Dr. Bernard being unfit to practice, and therefore did not suspend Dr. Bernard or put her on probation so she is able to continue to practice in Indiana. Dr. Bernard will be given the right to appeal the decision.

The post Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim appeared first on HIPAA Journal.

A medical management company has been fined $550,000 by the New York Attorney General for failing to prevent a cyberattack that exposed the personal and protected health information of 1.2 million individuals, including 428,000 New Yorkers.

Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp, had its systems hacked in November 2020. The threat actor exfiltrated sensitive data from its systems and then deployed ransomware to encrypt files. As proof of data theft and to pressure Practicefirst into paying the ransom, files were uploaded to the threat actor’s dark web data leak site. The leaked data included screenshots of 13 patients’ protected health information. Practicefirst’s investigation confirmed the threat actor exfiltrated approximately 79,000 files from its systems, which contained names, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, medication information, and financial information.

The investigation conducted by the Office of the New York Attorney General determined that the hacker gained initial access to Practicefirst’s systems by exploiting a critical vulnerability in its firewall. The firewall provider released an updated version of the firewall software in January 2019, but Practicefirst failed to apply the update. Practicefirst did not conduct penetration tests or vulnerability scans, or perform other security tests that would have highlighted the vulnerability before it was exploited.  The protected health information stored on its systems was also not encrypted. The New York Attorney General determined that these failures violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).

Practicefirst agreed to settle the alleged violations of HIPAA and state law. In addition to the financial penalty, Practicefirst has agreed to strengthen its data security practices and will offer affected individuals complimentary credit monitoring services. The data security measures agreed upon as part of the settlement include the development, implementation, and maintenance of a comprehensive information security program, encryption for health information stored on its systems, implementation of a patch management system with timely patching of vulnerabilities, regular vulnerability scans and penetration tests, and updates to its data collection, retention, and disposal practices.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.

The post NY AG Fines Medical Management Company $550,000 for Patch Management Failures appeared first on HIPAA Journal.

In June 2020, the Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach involving the protected health information (PHI) of 2.1 million patients. An unauthorized individual gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. The unauthorized third party then used the email account to distribute around 2,000 phishing emails.

State attorneys general have the authority to investigate data breaches and can fine organizations for HIPAA violations. A multi-state investigation was launched by state attorneys general in Oregon, New Jersey, and Florida into the EyeMed data breach, and Pennsylvania later joined the multistate action. The state attorneys general sought to establish whether the data breach was preventable and if it was the result of a failure to comply with the HIPAA Security Rule and state data protection laws.

The investigation identified data security failures that violated HIPAA and state laws. Under HIPAA and state data protection laws, entities that collect, maintain, or handle sensitive personal and medical information are required to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of that information, yet those safeguards were found to be lacking at EyeMed. The investigation revealed a failure to ensure all individuals with access to protected health information had a unique login and password. Several EyeMed employees were found to be sharing a single password for an email account that was used to communicate sensitive information, including PHI related to vision benefits enrollment and coverage.

Under the terms of the settlement, EyeMed agreed to pay a financial penalty of $2.5 million which will be shared between Oregon, New Jersey, Florida, and Pennsylvania. The settlement also requires EyeMed to ensure compliance with state consumer protection acts, state personal information protection acts, and HIPAA law, and ensure EyeMed does not misrepresent the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information.

The data security requirements of the settlement include the development, implementation, and maintenance of a written information security program; maintenance of reasonable policies and procedures governing the collection, use, and retention of patient information; and maintenance of appropriate controls to manage access to all accounts that receive and transmit sensitive information. ”New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said Attorney General Platkin, who co-led the investigation. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”

The Office of the New York Attorney General also investigated EyeMed over the data breach and entered into a separate settlement agreement last year, which required EyeMed to pay a $600,000 penalty. In October 2022, a $4.5 million settlement was agreed between EyeMed and the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS (Part 500) cybersecurity regulations. The security failures included not limiting employee access privileges to email accounts for 9 employees, a partial rollout of multifactor authentication, risk assessment failures, the lack of a sufficient data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General also had data security requirements, including the implementation and maintenance of a comprehensive information security program, encryption of data, multi-factor authentication for all administrative and remote access accounts, and penetration testing.

HIPAA compliance investigations by state attorneys general are independent of the HHS’ Office for Civil Rights (OCR), which may also choose to impose civil monetary penalties for HIPAA violations. No penalty has been announced by OCR as of May 2023 and the incident is marked as closed on the OCR breach portal.

The post EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million appeared first on HIPAA Journal.