Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam.

On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’

After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge.

On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit survived a motion to dismiss and following mediation a settlement was agreed. Lincare has agreed to pay $875,000 to settle the case with no admission of liability. $550,000 will be paid in compensation for class members with a further $325,000 reserved to compensate class members who experience an eligible incident such as the filing of a fraudulent/false tax, opening of a fraudulent/false loan, or the opening of a fraudulent/false credit card.

W-2 Phishing Scams and How to Protect Against Them

Last year, more than 100 U.S. organizations fell victim to W-2 phishing scams during tax season, resulting in the disclosure of more than 120,000 employees’ W-2 information. Many of the employees whose personal information was exposed had their identities stolen and fraudulent tax returns filed in their names.

W-2 phishing scams are simple but highly effective. These Business Email Compromise (BEC) attacks involve a scammer posing as a senior executive. An email is sent to an employee in the finance, payroll, or HR department requesting copies of W-2 Forms of employees who have worked for the company in the past year.

In some cases, the email address of an executive is spoofed, although the most effective campaigns involve the use of the executive’s email account. Access to the account is usually gained through a phishing attack or by guessing a weak password using brute force tactics. The scam abuses trust in executives and the unwillingness of employees to question requests from senior executives.

Last year both the FBI and the IRS issued warnings over the sharp rise in BEC attacks during tax season, many of which targeted healthcare organizations and educational institutions. Databreaches.net tracks reports of successful W-2 phishing attacks and detailed 145 attacks in 2016 and well over 100 in 2017. The true figure will undoubtedly be considerably higher as not all companies publicly announce that they have fallen for such a scam.

The cost of the attacks can be considerable for the victims and, as this settlement shows, the companies whose employees have been fooled by the scams.

Preventing attacks requires a combination of administrative and technical measures.

  • Spam filtering solutions can reduce the potential for phishing emails to be delivered to employees and can block spoofed emails, although they will not block emails sent from a compromised email account.
  • The workforce, especially finance, payroll, and HR employees, should receive security awareness training and be alerted to the threat.
  • Consider introducing internal policies that prohibit executives from making requests for W2 information via email.
  • Policies should be developed that require any request for W-2 information via email to be verified by phone or face to face before any data are provided.

The post Lincare Settles W-2 Phishing Scam Lawsuit for $875,000 appeared first on HIPAA Journal.

GAO: Medical Records Can be Difficult and Expensive to Obtain

A recent audit conducted by the Government Accountability Office (GAO) has shown patients still face many challenges obtaining copies of their health information and healthcare providers and insurers are struggling to meet HIPAA requirements – and in some cases – are breaching HIPAA Rules.

A 21st Century Cures Act provision required GAO to conduct a study on patient access to medical records. The audit involved interviews with stakeholders, vendors, provider organizations, patient advocates, and state and HHS officials. The audit was conducted in four states – Ohio, Kentucky, Rhode Island and Wisconsin – which were chosen, in part, due to the range of fees charged for providing patients with copies of their medical records.

Under HIPAA, patients are permitted to request copies of their health records from their providers. Patients can request their health records in paper or digital form and the requests must be processed within 30 days. HIPAA-covered entities are allowed to charge a reasonable, cost-based fee for providing patients with copies of their health data.

Patients obtain copies of their health information for several reason: To take a more active role in their own healthcare, to take their medical records to new providers, to resolve disputes with their insurers, to provide to lawyers, or for disability claims.

Patients also make requests for their records to be forward on to another person or entity by their provider, such as when they want a second opinion from another physician. Third parties may also be instructed by patients to obtain copies of their health records – a lawyer for example.

The GAO audit determined that the fees charged by providers varied considerably from state to state and for different types of request.

Some states have established fee schedules, formulas and limits for allowable fees. Three of the states – Ohio, Rhode Island, and Wisconsin – have established per-page fee amounts and different rates for obtaining medical images such as copies of X-rays. Ohio has established a per-page fee amount for third party requests, Rhode Island has a maximum fee for providers that use an EHR for patient and patient-directed requests, while Kentucky allows patients to obtain one free copy of their medical records and sets a maximum charge of $1 per page for any additional copies.

While HIPAA stipulates that providers can only charge a reasonable, cost-based fee for patient requests and patient-directed requests, those limits do not apply to third party requests for copies of data, and the charges are often considerably higher.

Excessive Fees Charged for Providing Copies of Health Information

In 2016, the Department of Health and Human Services’ Office for Civil Rights issued guidance for HIPAA-covered entities on the fees that could be charged for providing patients with copies of their health information.  Even so, some providers are not following HIPAA Rules.

In the GAO report, examples are provided of the excessive fees that have been charged. One patient was charged a fee of $148 for a single PDF of their medical records, and two patients were each charged more than $500 for a single request to obtain a copy of their medical records. One patient was charged a retrieval fee by a release-of-information (ROI) vendor for a copy of her health records, even though such fees are not permitted under HIPAA. There have also been cases of providers charging annual subscription fees for providing access to medical records.

One problem faced by patients whose medical conditions have required many visits to physicians is the amount of data stored by their providers. Their health records span many pages and fees are charged per page. That can make obtaining copies of health records prohibitively expensive.

The GAO report indicates many patients have made attempts to obtain copies of their medical records from their providers but cancelled the requests when they discovered to cost of doing so. There have been cases where providers have refused patients who have requested copies of their health records and patients have failed to challenge their providers.

The report made it clear that even though efforts have been made to improve understanding of HIPAA Rules, many patients are still unsure of their rights under HIPAA.

Healthcare Organizations Face Major Challenges Providing Access to Health Records

It is not only a challenge for patients to obtain their health records. Many providers also face challenges finding and retrieving information and processing the requests. Often, patients’ data are stored in digital format and on paper/film. Paper records may be stored in different locations and digital records stored in multiple EHRs.

Many providers find it difficult to allocate the necessary resources to the task of providing copies of medical records to patients and staff struggle to find the time to process requests due to extremely busy workloads.

Thorough checks must be made of the records to make sure patients are only provided with data from their own records. Sometimes, the process of transferring data from physical records to digital versions result in different patient records being merged.

There are also security challenges. While HIPAA allows patients to receive digital copies of their data, on a memory stick for example, plugging in such a device could introduce a malware infection.

Some healthcare providers have eased the strain by making patient health information available through patient portals. This has helped reduce the number of requests for providing copies of health data. Unfortunately, patient portals do not contain entire health records and patients may not be able to get the information they need.

Interviews with OCR officials revealed hundreds of complaints have been submitted by patients who have experienced difficulties accessing their medical records. The most common complaints are the failure of a provider to process requests for copies of health information within 30 days, excessive fees for the information, the failure to respond to requests to send health records to caregivers and family members, and denying requests from parents to obtain copies of their children’s medical records.

OCR is currently considering whether any further guidance is required to clarify allowable fees under HIPAA Rules, further to the guidance it issued on the matter in 2016.

The post GAO: Medical Records Can be Difficult and Expensive to Obtain appeared first on HIPAA Journal.

Do You Have a GDPR Data Retention Policy?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail?

GDPR Data Retention Rules

Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection.

Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained.

When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed.

GDPR data retention is covered in Article 5(e), which explains that data should only be retained for as long as is required to achieve the purpose for which data were collected and are being processed. The exceptions to this are when data need to be retained “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Recital 39 of GDPR explains that when data are retained, strict time limits should be established by the data controller to ensure data are not retained for longer than is strictly necessary. The data controller is required to conduct periodic reviews and ensure that data are securely erased when no longer required.

GDPR applies to personal data that could be used to identify an individual. If data are required to be kept for longer, the information should be de-identified to prevent individuals from being identified from the data.

There are good reasons for the rules on data retention. The longer data are kept, the greater the chance that data will become out of date and the harder it becomes to ensure data are accurate. In the event of a data breach, the more data that are stored on individuals, the greater the potential for harm.

Developing a Compliant GDPR Data Retention Policy

You should already have developed a GDPR data retention policy, although if you have yet to do so now is the time to conduct a review of your data retention policies and update them accordingly. Now is also the time to ensure that any personal data of EU residents that are currently stored are deleted if the original purpose for which they have been collected has been achieved.

To help with the creation of a GDPR data retention policy use the checklist below:

GDPR Data Retention Policy Checklist

  • Stipulate what data are covered by your policies
  • Set strict time limits on how long data are retained
  • Cover the methods that should be used to delete physical and digital data
  • Ensure it is explained, at the time of collection, how long data will be retained or how the decision will be made to delete data that are no longer required
  • Schedule regular reviews of stored data to determine whether the information is still required
  • Some types of data may need to be retained for longer than others. This should be detailed in your policy
  • It is particularly important to ensure that sensitive data are deleted promptly and are not stored for longer than is strictly necessary – Sensitive data includes sexual orientation, race, beliefs, and health information
  • Ensure your policy covers deletion of personal data if an EU resident exercises their right to be forgotten
  • Stipulate exceptions to general rules on data retention – federal and state laws, litigation holds etc.
  • Make sure that all employees are aware of your GDPR data retention policy.
  • A GDPR data retention policy must be documented. It may need to be provided to regulators in the event of an audit or investigation of a complaint.

GDPR Compliance Deadline

The General Data Protection Regulation becomes effective on May 25, 2018, after which severe financial penalties can be issued to companies and individuals who fail to meet the requirements of GDPR. The penalty for non-compliance with GDPR is up to 20 million Euros or 4% of global annual turnover, whichever is the greater.

If you are not yet compliant with GDPR requirements or have yet to start your compliance program, it is unlikely you will be able to comply with all aspects of GDPR ahead of the deadline. It is therefore essential that you have documentation that proves you have at least made an attempt to comply with the requirements of the GDPR and that your efforts are ongoing.

The post Do You Have a GDPR Data Retention Policy? appeared first on HIPAA Journal.