Legal News

Federal Court Dismisses FTC Complaint Against Kochava

Posted by HIPAA Journal

A complaint filed by the Federal Trade Commission (FTC) against the mobile app attribution and analytics company, Kochava, has been dismissed by a federal judge, although the door has been left open for a revised complaint that makes stronger arguments that the actions of Kochava have caused harms to consumers.

The FTC’s lawsuit against Kochava, filed in August 2022, alleged the company was selling the geolocation data of consumers gathered from their mobile phones without their knowledge. The geolocation data is tied to each individual user by a unique ID associated with their device. The FTC argued that the geolocation data could be used to identify individuals who had visited sensitive locations such as abortion clinics, mental health treatment centers, places of worship, and other sensitive locations. For example, the data sold by Kochava could be used to identify women who traveled from an anti-abortion state to a state where abortion is illegal, allowing those women to be prosecuted as well as the individuals that helped them have an out-of-state abortion. The FTC lawsuit alleged Kochava had engaged in unfair and deceptive business practices, in violation of the FTC Act. Kochava was aware that a lawsuit would likely be filed by the FTC and attempted to preempt it by filing its own lawsuit then sought to have the FTC lawsuit dismissed. Those efforts have been partially successful.

At this early stage of the litigation, the question that needed to be answered by the court was whether the FTC had stated a plausible claim against Kochava. Idaho District Judge B. Lynn Winmill said in his ruling that the privacy concerns raised by the FTC in the complaint were certainly legitimate and that the FTC’s theory that consumers could suffer an injury as a result of the sale of their data was certainly plausible. Judge Winmill agreed that individuals would be at risk of secondary harms but said the FTC failed to point to any specific examples of harms that have been caused, only stating a risk of secondary harms. The FTC failed to attach any degree of probability to the risks. While there is certainly a risk that geolocation data could be used to target individuals, the mere possibility of injury is not sufficient to allow the lawsuit to proceed.

The FTC argued that the invasion of privacy alone constitutes an injury, and while that is true, in this case, the privacy violation was not determined to be sufficiently severe to meet the threshold for injury. Specifically, because Kochava has not been accused of selling or disclosing private information, only selling data from which private information may be inferred from the presence of an individual in or near a sensitive location. The geolocation data does not indicate an individual has received a specific service or visited a location for a specific purpose and inferences are often unreliable. Further, location information could be obtained through legal means, such as observing a person visiting a sensitive location and then obtaining the individual’s address from public records. Finally, the FTC’s lawsuit would need to state, at least approximately, how many individuals could suffer privacy violations as a result of the sale of the data by Kochava. The FTC failed to state how many people are likely to be injured.

While the complaint was dismissed, Judge Winmill agreed that consumers have no reasonable way of avoiding potential harms that are caused as a result of Kochava’s business practices and that any benefits that come from the sale of the data do not outweigh the harms that can be caused. The FTC has been given a further 30 days to refile the lawsuit with strengthened arguments that the privacy violations will likely cause substantial injury to consumers.

The post Federal Court Dismisses FTC Complaint Against Kochava appeared first on HIPAA Journal.

Pittsburgh Counselor Fined $15,000 for HIPAA Right of Access Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its 44th enforcement action under its HIPAA Right of Access initiative with a $15,000 financial penalty for David Mente, MA, LPC, a licensed counselor that provides psychotherapy services in Pittsburgh, PA.

The HIPAA Right of Access allows individuals to obtain a copy of their health information. Healthcare providers are required to respond to requests and provide the requested records within 30 days of the request being received, although a 30-day extension is possible in certain circumstances. This case stemmed from a complaint from a father of three children who requested a copy of his minor children’s medical records from Mente in December 2017. The complainant was the personal representative of his children and should have been provided with the records as requested.

After receiving the complaint, OCR contacted Mente, provided technical assistance on the HIPAA Right of Access, and closed the complaint. The father made a second request for a copy of the records in April 2018; however, Mente again failed to provide the requested records, despite having received technical assistance from OCR. That led to the father filing a second complaint with OCR.

OCR reopened the case and determined that the failure to provide the requested records was a potential violation of the HIPAA Right of Access. Mente chose not to contest the proposed penalty and settled the case with OCR.  In addition to the financial penalty, Mente agreed to adopt a corrective action plan to address the noncompliance. The corrective action plan includes the requirement to review and revise policies and procedures for individual access to PHI, to provide privacy training to the workforce on individual access to individuals’ PHI, and to make a good faith effort to provide the complainant with the requested records or to deny access, in whole or in part, consistent with 45 C.F.R. 164.524(3).

This is the third financial penalty to be imposed by OCR in 2023 to resolve potential violations of the HIPAA Rules and follows on from a $1,250,000 settlement with Banner Health and a $16,500 settlement with Life Hope Labs LLC.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.  HIPAA-regulated entities should be proactive and work to ensure patients and their representatives can access records.”

The post Pittsburgh Counselor Fined $15,000 for HIPAA Right of Access Violation appeared first on HIPAA Journal.

Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom

Posted by HIPAA Journal

There has been an update to a lawsuit filed against Lehigh Valley Health Network over a ransomware attack that involved the theft of sensitive patient data and the publication of naked images of patients on the Internet.

Lehigh Valley Health Network detected the ransomware attack on February 6, 2023, and was issued with a ransom demand. The BlackCat group threatened to release the stolen data online if the ransom was not paid. While it is common for ransomware gangs to steal sensitive data and publish files if the victim fails to cooperate, the BlackCat ransomware group took the extortion a step further and published naked images of patients to pressure Lehigh Valley Health Network into paying the ransom. The images in question were clinically appropriate for radiation oncology treatment and showed patients naked from the waist up. The ransomware group was seeking payment of approximately $5 million. Lehigh Valley Health Network chose not to pay the ransom.

A lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania, which alleged Lehigh Valley Health Network failed to adequately protect patient data and failed to meet its obligations under the Health Insurance Portability and Accountability Act (HIPAA). The lead plaintiff, Jane Doe, had her naked images posted by the group. She maintains that she was not aware that the photographs had been taken.

The lawsuit sought class action status, a jury trial, and remedies including damages, reimbursement of out-of-pocket costs, and equitable and injunctive relief, including an order from the court compelling Lehigh Valley Health Network to improve its data security systems and provide identity theft protection services for the plaintiff and class.

Court Order Sought to Force Lehigh Valley Health Network to Pay the Ransom

One of those remedies sought by the plaintiff concerned the removal of her partially naked photographs from the Internet. Lehigh Valley Health Network no longer had control of those photographs, so the plaintiff sought a court order compelling Lehigh Valley Health Network to pay the ransom and obtain a pledge from the BlackCat group that the images would be removed from the Internet.

The plaintiff’s legal team said the plaintiff is worried that she may be identified by the images, that they may be viewed by her employer or people at work, and that she would be constantly worried that the images would be discovered for as long as they were available online. The patient’s attorney claimed images stolen by the group had been published online and could be found by searching using the individuals’ names, and that this was a deeply upsetting violation of patient privacy. The move to compel Lehigh Valley Health Network to pay the ransom was the only way that the plaintiff’s legal team could get the images removed from the Internet. The request was unusual, but this was not a typical ransomware and extortion attempt.

The request raised some important legal issues that U.S. District Court Judge, Judge Malachy E. Manion, moved to address. Judge Manion questioned the plaintiff’s legal team on the legality of the request and whether the court had the authority to force a defendant to commit a potentially illegal act. While U.S. law does generally not prohibit the payment of a ransom for the return of people or goods; however, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) can impose sanctions on organizations that pay ransoms to cyber actors under its sanctions program.

In response to the request, Judge Manion ordered the plaintiff’s attorneys to file a brief in support of their preliminary injunction, “specifically providing authority that the court may force a party to comply with an illegal act or pay an illegal ransom.” On April 18, 2023, the plaintiff dropped the request for the injunction to force Lehigh Valley Health Network to pay the ransom.

The post Patient No Longer Seeking Injunction to Force Healthcare Provider to Pay Ransom appeared first on HIPAA Journal.

90 Degree Benefits Facing Class Action Lawsuit Over 181,500-Record Data Breach

Posted by HIPAA Journal

A lawsuit has been filed against 90 Degree Benefits over a breach of the protected health information of 181,543 individuals. Unauthorized system activity was detected on or around December 10, 2022, and the forensic investigation determined its systems had been accessed by unauthorized individuals between December 5, 2022, and December 10, 2022. During that time, the attackers had access to parts of its network that contained patients’ and health plan members’ names, addresses, dates of birth, Social Security numbers, health information, and payment information. Affected individuals were notified about the breach by mail on or around April 7, 2023.

The lawsuit alleges 90 Degree Benefits knew or should have been aware that it was a target for hackers, given the extent to which the healthcare industry has been targeted in recent years, especially considering 90 Degree Benefits experienced a similar data breach in February 2022. The February data breach should have made it clear that its data security measures were not sufficient and needed to be improved, yet despite that earlier breach, data security was still inadequate.

The lawsuit alleges the plaintiffs have incurred out-of-pocket expenses and have had to spend time protecting against misuse of their data, and that they are at imminent risk of identity theft and fraud, with that risk continuing for years to come. As a result, the plaintiffs and class members will likely have to continue investing time and money to protect themselves from fraud for the rest of their lives.

The lawsuit alleges negligence, breach of implied contract, and violations of the Wisconsin Deceptive Trade Practices Act and Wisconsin Confidentiality of Health Records Law. The lawsuit seeks class action certification, a jury trial, damages, reimbursement of out-of-pocket expenses, and injunctive relief, including encryption of data, changes to data retention practices, the implementation of a comprehensive information security program, regular third-party security audits/penetration tests, and for the court to prohibit 90 Degree Benefits from storing protected health information in cloud-based databases.

The lawsuit names 90 Degree Benefits Inc. and 90 Degree Benefits, LLC as the defendants and the plaintiffs as Steven Greek and Jon Boyajian. The lawsuit was filed in the U.S. District Court for the Eastern District of Wisconsin. The plaintiffs and class are represented by attorneys from the law firms Ademi LLP, Murphy Law Firm, and Federman & Sherwood.

The post 90 Degree Benefits Facing Class Action Lawsuit Over 181,500-Record Data Breach appeared first on HIPAA Journal.

One Brooklyn Health Suited over 235K-Record Data Breach

Posted by HIPAA Journal

One Brooklyn Health, a New York City-based network of three acute care hospitals – Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center – is facing a class action lawsuit over a data breach that was discovered in November 2022.

On November 19, 2022, One Brooklyn Health identified suspicious activity within its computer network. The network was immediately secured, and the forensic investigation confirmed that an unauthorized third party had intermittently accessed its network between July 9, 2022, and November 19, 2022. The document review took until March 21, 2023, and notification letters were sent on April 20, 2023. The information exposed and potentially stolen in the attack included names, dates of birth, billing and claims data, treatment details, medical record numbers, prescriptions, health insurance information, and Social Security numbers. More than 235,000 patients were affected.

On April 26, 2023, a lawsuit was filed in the Supreme Court of the State of New York, County of Kings, on behalf of plaintiff Kiya Johnson and similarly situated individuals by the law firms Wittels McInturff Palikovic and Shub & Johns LLC. The lawsuit alleges One Brooklyn Health knew that it stored sensitive patient information and that it was a target for cybercriminals and that it was obligated under the Health Insurance Portability and Accountability Act to protect that data yet failed to implement reasonable and appropriate security measures thus allowing unauthorized individuals to access its network and steal patient data.

The lawsuit alleges the plaintiff and class members have had to spend considerable time and money protecting themselves against misuse of their protected health information and that they have and will continue to suffer harm and have been placed at an imminent, immediate, and continuing risk of identity theft and fraud. The lawsuit states 8 causes of action: negligence (plaintiff and class), negligence per se, breach of fiduciary duty, breach of confidence, intrusion upon seclusion/invasion of privacy, breach of implied contract, unjust enrichment, and violations of New York General Business Law.

The lawsuit seeks class action status, a jury trial, damages, restitution, and injunctive relief, with the latter including improvements to data security practices.

The post One Brooklyn Health Suited over 235K-Record Data Breach appeared first on HIPAA Journal.

Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations

Posted by HIPAA Journal

Five former Methodist Hospital employees have pleaded guilty to criminal violations of HIPAA for accessing and disclosing the information of patients to a third party for financial gain. The former hospital workers were contacted by Roderick Harvey, 41, of Memphis, and were paid to provide him with the names and telephone numbers of patients who had been involved in motor vehicle accidents. The data collected by Harvey was then sold to personal injury attorneys and chiropractors.

The HIPAA Privacy Rule prohibits healthcare workers from accessing patient data unless there is a valid work reason for doing so, and disclosures of patient data to third parties are not permitted unless there is a valid reason for the disclosure (treatment, payment, business operations) unless consent is obtained from the patient. Accessing and disclosing patient information for financial gain without the consent of the patients is a criminal offense.

Between November 2017 and December 2020, Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 31, Melanie Russell, 41, and Adrianna Taber, 26, violated HIPAA and provided Harvey with patient information. The former employees were terminated for the HIPAA violations, and along with Harvey, were indicted by a federal grand jury in November 2022. Harvey faced a conspiracy charge and seven counts of obtaining patient information with the intent to sell it for financial gain. The former Methodist Hospital employees were separately charged for violating HIPAA.

Harvey pled guilty to the conspiracy charge on April 21, 2023, and will be sentenced on August 1, 2023. Harvey faces up to five years in jail, a fine of up to $250,000, and three years of supervised release. Dandridge, Taylor, Thompson, Russell, and Taber each face a maximum of one year in jail, $50,000 fine, and one year of supervised release and will be sentenced on five separate dates between April 25, 2023, and June 21, 2023.

The post Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations appeared first on HIPAA Journal.

Utah Updates Data Breach Notification Requirements

Posted by HIPAA Journal

Utah has updated its data breach regulations and from May 3, 2023, will require a breached entity to send a notification to the Utah Attorney General in the event of a breach of the personal information of 500 or more Utah residents.

The new law applies to persons who own or license computerized data that includes the personal information of Utah residents. If a system security breach is discovered, a prompt investigation should be conducted to determine the likelihood that personal information has been or will be misused for identity theft or fraud. If it is determined that identity theft or fraud has occurred, or is likely to occur, notifications must be issued to each affected Utah resident and a notification must be sent to the Utah Attorney General and the newly created Utah Cyber Center.

If the investigation determines that 1,000 or more individuals have experienced identity theft or fraud or are reasonably likely to experience fraud as a result of the security breach, then notifications must be provided to each national consumer reporting agency that maintains data on consumers.

The new requirements do not include a maximum time limit for sending notifications but state that notifications must be provided “in the most expedient time possible without unreasonable delay,” after investigating, determining the extent of the breach, notifying law enforcement, and restoring the integrity of the system.

If a person who maintains computerized data that includes personal information experiences a breach and the person does not own or license the data, that individual must notify and cooperate with the owner or licensee of the information of any breach of system security immediately following the discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur.

Notifications must be issued by first class mail to the most recent address of an individual that is on file, or electronically if that is the primary method of communication for that individual, or by telephone. If it is not feasible to issue notifications by those means, notifications must be provided to a newspaper of general circulation.

Organizations that are covered by HIPAA and are compliant with the HIPAA Breach Notification Rule will be compliant with the new requirements provided they send data breach notifications to the Utah Attorney General and Utah Cyber Center and, if applicable, alert consumer reporting agencies.

New Utah Cyber Center

The new Utah Cyber Center will be operated in partnership with the Statewide Information and Analysis Center, the State Bureau of Investigation, and the Division of Emergency Management and will collaborate with the Office for The Attorney General, Cybersecurity Commission, Utah Education, and Telehealth Network, and Cybersecurity and Infrastructure Security Agency.

The Utah Cyber Center will promote cybersecurity best practices, share cyber threat intelligence with government entities and public and private sector organizations, and will serve as the state cybersecurity incident response hotline to receive reports of security breaches. It will also develop incident response plans for managing risks due to attacks on critical information technology systems within the state and develop a sharing platform to provide resources based on information and cybersecurity best practices.

The post Utah Updates Data Breach Notification Requirements appeared first on HIPAA Journal.

March 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

Our monthly data breach reports are based on data breaches of 500 or more records that have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) each month. The monthly reports provide an indication of the extent to which healthcare data breaches are increasing, decreasing, or remaining flat. To view longer-term healthcare data breach trends, visit our healthcare data breach statistics page.

Healthcare Data Breaches Reported in March 2023

In March, 63 breaches of 500 or more records were reported to OCR, which is a 46.51% increase from February, 6.92% more than the 12-month average, and 40% more breaches than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breaches

There was a 15.62% month-over-month increase in breached records, with 6,382,618 records exposed or impermissibly disclosed across the 63 data breaches. That’s 36% more records breached than the 12-month average and 76.46% more breached records than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breached records

Largest Healthcare Data Breaches

In March, 22 healthcare data breaches were reported that impacted more than 10,000 individuals, up from 17 such breaches in February 2023. Four of those breaches, including the largest data breach of the month, were due to the use of tracking code on websites that collected individually identifiable website visitor data. The data collected was used for analytics purposes but was transferred to the providers of the code. Those third parties included, but were not limited to, Meta (Facebook), Instagram, & Google. These tracking tools are not prohibited by the HIPAA Privacy Rule, but if they are used, consent must be obtained, or the disclosure must be permitted by the Privacy Rule and a business associate must be in place with the provider of the code. We can expect to see many more of these breaches reported over the coming weeks and months. According to a recently published study, 99% of U.S. hospitals have used these tools on their websites. Relatively few have reported tracking code-related data breaches to OCR.

Malicious actors continue to use ransomware in their attacks on healthcare organizations. Three of the top 22 data breaches were confirmed as involving ransomware, and several other hacking incidents were reported that involved network disruption, but were not reported as involving ransomware. Several threat actors that are known to use ransomware in their attacks on the healthcare sector are now choosing not to encrypt files, instead, they just steal data for extortion. For example, the Clop ransomware group typically deploys ransomware in its attacks but in recent attacks that exploited a vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution, ransomware was not deployed. The group stole data from 130 organizations in the attacks, including Community Health Systems Professional Services Corporations and US Wellness Inc, both of which are in the top 22 list.

There were three 10,000+ record data breaches involving the hacking of email accounts – through phishing or other means. Phishing attacks are common in healthcare, and while these attacks can be difficult to prevent, it is possible to limit the harm caused by placing time limits on how long emails are stored in email accounts. While emails often need to be retained for compliance with HIPAA and other laws –  moving them to a secure archive can help to reduce the extent of a data breach if email accounts are compromised. One of the phishing attacks saw one email account compromised that contained the PHI of more than 77,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Cerebral, Inc DE Business Associate 3,179,835 Website tracking code – Impermissible disclosure to third parties
ZOLL Services LLC MA Healthcare Provider 997,097 Hacking incident (details not made public)
Community Health Systems Professional Services Corporations (CHSPSC), LLC TN Business Associate 962,884 Hacking of Fortra’s GoAnywhere MFT solution
Santa Clara Family Health Plan CA Health Plan 276,993 Hacking incident involving business associate – no information available
Monument, Inc. NY Business Associate 108,584 Website tracking code – Impermissible disclosure to third parties
Bone & Joint Clinic, S.C. WI Healthcare Provider 105,094 Hacking incident: Network disruption and data theft
Florida Medical Clinic, LLC FL Healthcare Provider 94,132 Ransomware attack
Healthy Options dba Postal Prescription Services – Kroger OH Healthcare Provider 82,466 Impermissible disclosure of PHI to Kroger
NorthStar Emergency Medical Services AL Healthcare Provider 82,450 Hacking incident (details not made public)
Merritt Healthcare Advisors CT Business Associate 77,258 Unauthorized accessing of employee email account
NewYork Presbyterian Hospital NY Healthcare Provider 54,396 Website tracking code – Impermissible disclosure to third parties
Trinity Health MI Business Associate 45,350 Phishing attack: employee email account compromised
UHS of Delaware, Inc. PA Business Associate 40,290 Unauthorized accessing of employee email account
SundaySky, Inc. NY Business Associate 37,095 Hacked cloud server – data theft confirmed
Denver Public Schools Medical Plans CO Health Plan 35,068 Hacked network server – data theft confirmed
Atlantic General Hospital MD Healthcare Provider 26,591 Ransomware attack
UC San Diego Health CA Healthcare Provider 23,000 Website tracking code used by a business associate – Impermissible disclosure to third parties
Tallahassee Memorial Healthcare, Inc. FL Healthcare Provider 20,376 Hacked network server – data theft confirmed
Northeast Surgical Group, PC MI Healthcare Provider 15,298 Hacked network server
Health Plan of San Mateo CA Health Plan 11,894 Unauthorized accessing of employee email account
US Wellness Inc. MD Business Associate 11,459 Hacking of Fortra’s GoAnywhere MFT solution
Codman Square Health Center MA Healthcare Provider 10,161 Ransomware attack

Causes of March 2023 Data Breaches

The majority of the month’s reported breaches were classified as hacking/IT incidents, as has been the case for many months. While hacking incidents usually account for the vast majority of breached records, in March they accounted for only 54.29% of the month’s breached records due to very large data breaches caused by the use of tracking technologies. The average size of a hacking incident in March was 73,724 records and the median breach size was 2,785 records.

March 2023 Healthcare Data Breach Report - causes

There were 14 data breaches reported as unauthorized access/disclosure incidents and while they only accounted for 22.22% of the month’s data breaches, they were responsible for 45.65% of the breached records, mostly due to the website tracking code breaches. The average breach size was 208,114 records and the median breach size was 2,636 records. There was one theft incident reported involving the protected health information of 3,013 individuals and one improper disposal incident involving 999 records.

March 2023 Healthcare Data Breach Report - data location

Where Did the Breaches Occur?

The entity reporting a data breach is not always the entity that experienced the breach. Business associates of HIPAA -covered entities may self-report breaches, but it is common for the covered entity to report the breaches. The data submitted to OCR indicates breaches occurred at 33 healthcare providers, 24 business associates, and 6 health plans. The pie charts below are based on where the breaches actually occurred rather than the reporting entity, as this provides a clearer picture of the extent to which data breaches are occurring at business associates.

March 2023 Healthcare Data Breach Report - breaches at hipaa-regulated entities

The pie chart below shows the extent to which patient and health plan member records have been exposed or compromised at business associates. 75.4% of the month’s breached records were due to data breaches at business associates.

March 2023 Healthcare Data Breach Report - records breached at hipaa-regulated entities

Geographical Distribution of March 2023 Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 U.S. states in March, with New York topping the list with 18 reported data breaches. The unusually high total was due to an attack on a business associate – Atlantic Dialysis Management Services – which reported the breach separately for each affected client and submitted 14 separate breach reports to OCR.

State Breaches
New York 18
California 7
Florida, Massachusetts, Ohio, Pennsylvania & Texas 3
Indiana, Kansas, Maryland, Michigan & Oregon 2
Alabama, Arizona, Colorado, Connecticut, Delaware, Georgia, Illinois, Kentucky, New Jersey, Oklahoma, Tennessee, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in March 2023

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights in March, but there was one enforcement action by a state Attorney General. The New York Attorney General confirmed that a case had been settled with the law firm, Heidell, Pittoni, Murphy & Bach LLP. The law firm was investigated following a breach of the personal and protected health information of 61,438 New York residents to identify potential violations of HIPAA and New York laws. The law firm chose to settle the case with no admission of wrongdoing and paid a financial penalty of $200,000. The New York Attorney General alleged violations of 17 HIPAA provisions and implementation specifications, details of which can be found here.

While the Federal Trade Commission does not enforce HIPAA, the agency has started taking action over breaches of healthcare data by non-HIPAA-covered entities to resolve violations of the FTC Act and the FTC Health Breach Notification Rule. In February, the FTC announced that its first settlement had been reached for a health data breach notification failure and that was followed up with a second enforcement action in March. The FTC announced that the online counseling service provider, BetterHelp, had agreed to settle alleged FTC Act violations related to impermissible disclosures of health data to third parties when users of its services had been told their information was private and confidential.  While there was no fine, under the terms of the settlement, $7.8 million will be paid to the consumers affected by the breach and they must be notified per the Health Breach Notification Rule.

The post March 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures

Posted by HIPAA Journal

Mount Nittany Health, a community healthcare provider and operator of the 260-baed Mount Nittany Medical Center in State College, Pennsylvania, is being sued over the alleged use of tracking code on its website and the impermissible disclosure of sensitive patient data to third parties such as Google and Facebook.

A recently published study indicates 99% of U.S. hospitals have used tracking code on their websites that collects the data of users as they navigate the website. The code is typically used to analyze website usage with a view to improving websites and services. The data collected is transmitted to the providers of that code and can be made available to third parties such as advertisers and is often used for serving targeted adverts and for other marketing purposes. Several health systems and hospitals have reported breaches of patient information due to the use of the code over the past few months, including Community Health Network, WakeMed Health and Hospitals, Advocate Aurora Health, and Novant Health, and lawsuits have been filed across the country in response to these disclosures, which are generally not permitted under the Health Insurance Portability and Accountability Act (HIPAA).

The Mount Nittany Health lawsuit was filed in Centre County Court in Pennsylvania on behalf of two unnamed plaintiffs, John and Jane Doe, by attorney George Bochetto of the law firm Bochetto & Lentz. The lawsuit claims the sensitive information of website visitors was collected via code such as Meta Pixel and was transferred to Meta and other third parties without the knowledge or consent of website users.

The code transferred personally identifiable information and information gathered from actions taken on the websites, from which it can be inferred that an individual was a patient of the medical center or was being treated for a specific medical condition. That information is used to sell advertising, and the website owners that install the code are provided with information about ads they have placed on social media networks such as Facebook and Instagram and are able to target individuals who visited their website with advertising.

The lawsuit alleges Mount Nittany Health is continuing to use tracking code on its website and has not notified individuals about the impermissible disclosures. At present, there is no notice on Mount Nittany Health’s website about a tracking code-related data breach and no data breach is listed on the HHS’ Office for Civil Rights breach portal. The lawsuit alleges invasion of privacy, breach of duty of confidentiality, unjust enrichment, and violations of the Wiretapping and Electronic Surveillance Control Act and seeks $1 million in damages.

The post Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures appeared first on HIPAA Journal.