Texas Retina Associates Cyberattack Affects 312,000 Patients

Posted by Steve Alder

A cyberattack on Texas Retina Associates has affected more than 312,000 patients, Human Technology Inc., has confirmed that patient data has been compromised in a cyberattack, and the Monti ransomware group has claimed responsibility for a cyberattack on Wayne Memorial Hospital.

Texas Retina Associates Cyberattack Affects 312,000 Patients

Texas Retina Associates, the largest ophthalmology practice in Texas, has announced that there has been unauthorized access to its internal systems and the potential theft of sensitive patient data. Suspicious network activity was identified on March 27, 2024, and third-party cybersecurity specialists were engaged to investigate the activity. They confirmed that an unauthorized actor gained access to its network on October 8, 2023, and maintained access until the breach was detected.

Texas Retina Associates said it is unaware of any misuse of patient data and is issuing notifications “out of an abundance of caution” as files have been exposed that contained patient data. The file review confirmed that the exposed data included first and last name, address, phone number, email address, birth date, gender, Social Security number, medical record number, clinical information, prescription information, medical information, health information, and health insurance information.

The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 312,867 current and former patients. Texas Retina Associates has confirmed that its systems have been secured, additional cybersecurity safeguards have been implemented, cybersecurity policies and procedures have been enhanced, and additional cybersecurity training has been provided to its workforce. A helpline has been established for individuals to obtain further information about the breach (888-498-3901) The helpline is manned from 8 a.m. to 8 p.m. Central Time.  The substitute breach notice on the Texas Retina Associates website makes no mention of complimentary credit monitoring or identity protection services being offered.

Human Technology Inc.

The Jackson, TN-based prosthetics and orthotics company, Human Technology Inc., and its affiliates Greer Orthotics & Prosthetics, Murphy’s Orthopedic & Footcare, and Hi-Tech Prosthetics & Orthotics have been affected by a data security incident that was detected on March 15, 2024.

An internal investigation was launched to identify the source of anomalous network activity and a digital forensics firm was engaged to assist with the investigation. The investigation was completed on or around May 31, 2024, and confirmed that an unauthorized actor gained access to a computer system used by Human Technology and its affiliates and potentially viewed or obtained patient data. The exposed data included names, addresses, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license numbers, passport numbers, payment card numbers/expiry dates, account numbers, routing numbers, and tax IDs.

Notification letters were mailed to the affected individuals on June 28, 2024, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Human Technology said it is unaware of any misuse of the affected data. To improve security and reduce the risk of similar incidents in the future, Human Technology has implemented additional safeguards, including EDR monitoring. A helpline has been established for individuals seeking further information on the breach ((866)-528-4805). The helpline is manned from 8.00 a.m. to 5.30 p.m. Central Time.

The incident is not yet shown on the HHS’ Office for Civil Rights website so it is currently unclear how many individuals have been affected.

Ransomware Group Claims Responsibility for Attack on Wayne Memorial Hospital

The Monti ransomware group has claimed responsibility for a cyberattack on Wayne Memorial Hospital, an 11-bed non-profit hospital in Honesdale, PA. The hospital has yet to announce any cyberattack or data breach. The hospital has been added to the Monti group’s data leak site, but no data is currently listed for download. The group says it has given the hospital until July 8, 2024, to pay the ransom demand and will leak the stolen data if payment is not made.

The post Texas Retina Associates Cyberattack Affects 312,000 Patients appeared first on The HIPAA Journal.

OSHA Proposes Heat Injury and Illness Prevention Rule

Posted by Steve Alder

The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has proposed the first federal workplace heat standard to protect millions of Americans from the health risks associated with exposure to extreme heat. Heat is the leading cause of death out of all hazardous weather conditions in the United States and caused an average of 40 workplace fatalities a year between 2011 and 2022. During that period, an estimated 33,890 employees took time off work due to heat-related injuries and illnesses, although the actual number is likely to be significantly higher.

Health-related injuries, illnesses, and fatalities are not only weather-related. Employees working in indoor environments can be exposed to dangerous heat levels if their place of work lacks adequate climate controls, especially in areas where there are heat-generating processes such as ovens and furnaces. Some employees, such as pregnant women, face a greater risk from heat exposure and workers of color and migrant workers are more likely to be employed in locations where they are exposed to hazardous heat levels.

The proposed rule requires employers to develop an injury and illness prevention plan, evaluate heat risks in internal and external work environments, and ensure that steps are taken to reduce the risks to workers. Those measures include making drinking water available, ensuring workers get adequate rest breaks, and implementing measures to control indoor heat. Employers must also develop a plan to protect new and returning workers who may not be accustomed to working in high-heat conditions. Training must be provided to workers to ensure that they are aware of heat risks, and procedures must be developed that can be followed in the event of a worker showing symptoms of health-related illness. If those symptoms are observed, immediate action must be taken to assist those workers.

An initial heat trigger of 80°F requires employers to provide drinking water, a break area at indoor and outdoor worksites, acclimatize new and returning workers, and provide paid breaks if needed. When heat levels rise past the second heat trigger of 90°F, employers must give workers a 15-minute paid rest break at least every 2 hours and display warning signs in areas of excessive heat, among other measures.

A notice of proposed rulemaking (NPRM) will soon be published in the Federal Register, although an unofficial copy of the rule is available here and OSHA has published a fact sheet on the heat standard rulemaking.  OSHA welcomes feedback from the public on the proposed rule once it has been published in the Federal Register. After the comment period closes, OSHA anticipates holding a public hearing ahead of the publication of a final rule. The aim is to issue a final rule that ensures workers are protected, hazards are reduced, and that the measures required are feasible for employers.

“Every worker should come home safe and healthy at the end of the day, which is why the Biden-Harris administration is taking this significant step to protect workers from the dangers posed by extreme heat,” said Acting Secretary of Labor Julie Su. “As the most pro-worker administration in history, we are committed to ensuring that those doing difficult work in some of our economy’s most critical sectors are valued and kept safe in the workplace.”

The post OSHA Proposes Heat Injury and Illness Prevention Rule appeared first on The HIPAA Journal.

Seattle Plastic Surgery Practice to Pay $5 Million to Resolve False Review and Illegal NDA Lawsuit

Posted by Steve Alder

A Seattle, WA, plastic surgery practice has been ordered to pay a financial penalty of $5 million to the Office of the Washington Attorney General to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), Washington Consumer Protection Act (CPA), and the federal Consumer Review Fairness Act (CRFA).

Dr. Javad Sajan, the owner of Allure Esthetic, has offices in Washington and other states and provides surgical and non-surgical plastic and cosmetic surgery procedures operating as Allure Esthetic, Gallery of Cosmetic Surgery, Seattle Plastic Surgery, Alderwood Surgical Center, Northwest Nasal Sinus Center, and Northwest Face and Body.

Washington Attorney General, Bob Ferguson, filed a lawsuit against Allure Esthetic and Dr. Sajan alleging the practice falsified online reviews to inflate the plastic surgeon’s reputation. According to the lawsuit, between 2017 and 2019, Dr. Sajan forced patients to sign illegal non-disclosure agreements that prohibited them from posting any negative online comments about Allure Esthetic. Those non-disclosure agreements were only provided after a $100 non-refundable consultation fee was paid. The non-disclosure agreements also required some patients to waive their HIPAA rights to allow the practice to respond to negative reviews using their personal health information.

Patients who were unhappy with their treatment and posted negative reviews were offered money and free services if they agreed to take down their reviews, and were threatened with fines if they posted negative reviews in the future. Some patients were sued when they refused to take down their truthful reviews. Dr. Sajan was also accused of instructing employees to set up fake email accounts posing as patients to post fake, positive reviews on sites such as Yelp and Google, and altering before and after photographs before they were added to the company’s social media accounts. Dr. Sajan was also accused of rigging “best doctor” competitions hosted by local media outlets, and applying for and retaining tens of thousands of dollars in rebates that should have been provided to patients.

In April 2024, a federal judge ruled that Allure’s non-disclosure agreements violated the Consumer Review Fairness Act (CRFA), which protects consumers’ rights to post truthful reviews about a business, and that Allure Esthetic’s practices violated HIPAA and the CPA. The consent decree issued by the U.S. District Court for the Western District of Washington requires Allure to pay $1.5 million in restitution to around 21,000 Washington residents. Each of those individuals will receive a check for $50 or $120, based on their circumstances. If they were forced to sign a non-disclosure agreement they will receive $50, and if they paid the non-refundable fee, they will receive $120 as a refund of the fee plus interest.

Allure is required to notify all individuals by mail that they will be receiving a check as a result of the Attorney General’s lawsuit and that they have been freed from the terms of their illegal NDAs. Allure must also send them their checks along with a letter from the Attorney General’s Office. The remaining $3.5 million of the settlement will go to the Attorney General’s Office to cover attorneys’ fees, investigation and prosecution costs, future monitoring, and enforcement of the decree and Washington’s consumer protection laws.

Allure is also required to conduct an audit of all review sites and request the removal of any review that Allure was involved in creating, posting, or shaping, and must remove any misleading photographs from its social media platforms. Allure is prohibited from altering future before and after photographs and using and attempting to enforce illegal non-disclosure agreements. Allure must also pay for a third-party forensic accounting company to conduct a full audit of its consumer rebate program to identify all consumers owed rebates that were illegally claimed by Allure.

“Writing a truthful review about a business should not subject you to threats or intimidation,” said AG Ferguson. “Consumers rely on reviews when determining who to trust, especially services that affect their health and safety. This resolution holds Allure accountable for brazenly violating that trust — and the law — and ensures the clinic stops its harmful conduct. We will take action against any business that attempts to silence and intimidate honest Washingtonians.”

The post Seattle Plastic Surgery Practice to Pay $5 Million to Resolve False Review and Illegal NDA Lawsuit appeared first on The HIPAA Journal.