Concentra Health Services Sued Over PJ&A Data Breach

Posted by Steve Alder

Concentra Health Services is facing a class action lawsuit over a data breach at one of its business associates that exposed the data of almost 4 million of its patients.  Concentra used the transcription service provider PJ&A and during the normal course of business, PJ&A had access to patients protected health information (PHI). PJ&A detected suspicious activity within its network on May 2, 2023, and the forensic investigation confirmed that unauthorized individuals had access to its systems between March 27, 2023, and May 2, 2023, and acquired sensitive information. In January 2024, Concentra confirmed that the PHI of 3,998,162 patients was compromised in the attack. In total, the PJ&A data breach is known to have affected more than 14 million individuals.

A lawsuit has recently been filed against Concentra Health Services Inc., its parent company Select Medical Holdings Inc., and Perry Johnson & Associates Inc., by plaintiff Stephen Tate, whose sensitive information was compromised in the attack.  According to the lawsuit, the hackers behind the attack gained access to a system where the data of Concentra patients was stored between April 7 and April 19, 2023. The compromised information included names, dates of birth, addresses, Social Security numbers, insurance and clinical information, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.

According to the lawsuit, the defendants must comply with the Health Insurance Portability and Accountability Act (HIPAA) which requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), but the defendants willfully, recklessly, or negligently maintained patient data, which was neither properly secured nor encrypted, even though there had been a substantial increase in cyberattacks prior to the PJ&A data breach and numerous warnings had been issued by federal agencies about the high risk of cyberattacks on healthcare organizations and their business associates.

Further, prompt notifications were not issued to the affected individuals, who did not find out that they had been affected until several months after the breach occurred. The delay in notification allowed cybercriminals to monetize, misuse, or disseminate the stolen data before the victims could take steps to protect themselves. The plaintiff alleges that it took PJ&A until November 2023 to notify Concentra about the breach, and Concentra didn’t issue individual notifications until February 2024, more than 6 months after the data breach occurred.

The plaintiff claims to have spent considerable time mitigating the impact of the data breach and will be forced to continue to spend time monitoring his accounts and taking other steps to protect himself against identity theft and fraud.  The lawsuit makes four claims for relief: negligence, breach of implied contract, unjust enrichment, and breach of confidence. The lawsuit seeks class action certification, a jury trial, monetary relief – including actual damages, statutory damages, equitable relief, restitution, disgorgement, and statutory costs – and injunctive relief, as well as the cost of a lifetime of credit monitoring and identity theft protection services.

The plaintiff and class are represented by Tiffany Marko Yiatras and Francis J. Casey of Consumer Protection Legal, LLC.

The post Concentra Health Services Sued Over PJ&A Data Breach appeared first on HIPAA Journal.

Tennessee Orthopaedic Clinics Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Knoxville, TN-based Tennessee Orthopaedic Clinics has agreed to settle a class action lawsuit that was filed in response to a March 2023 cyberattack and data breach that affected 46,679 individuals. The information exposed included names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information.

The affected individuals were notified about the breach in early May, and a class action lawsuit was rapidly filed that claimed Tennessee Orthopaedic Clinics was negligent by failing to implement reasonable and appropriate cybersecurity measures. According to the lawsuit, the data breach could have been prevented if those measures had been implemented.  Tennessee Orthopaedic Clinics chose to settle the lawsuit with no admission of wrongdoing to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals who were notified about the data breach may submit claims for ordinary expenses such as communication charges, credit expenses, bank fees, and lost time (max 3 hours at $20 per hour) up to a maximum of $1,500.

Claims of up to $4,000 may also be submitted for documented extraordinary expenses such as losses due to fraud or identity theft between March 20, 2023, and April 8, 2024, provided the claimant made reasonable efforts to avoid those losses and those losses have not already been reimbursed. All class members are also entitled to two years of single bureau credit monitoring and identity theft protection services. The deadline for exclusion or objection to the settlement has passed, and the final approval hearing was scheduled for March 14, 2024. Class members wishing to submit claims must do so by April 8, 2024.

The post Tennessee Orthopaedic Clinics Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Valley Oaks Health Reports 50,000-Record Data Breach

Posted by Steve Alder

Cyberattacks and data breaches have been reported by Valley Oaks Health and Sycamore Rehabilitation Services in Indiana, Plymouth Tube Company in Illinois, and Weirton Medical Center in West Virginia.

Valley Oaks Health, Indiana

Valley Oaks Health in Niles, IL, has recently notified 50,352 individuals about a breach of its network environment. Unauthorized individuals gained access to parts of its network between June 8, 2023, and June 13, 2023. Its network was secured, and third-party cybersecurity experts were engaged to assist with the investigation and confirmed that files containing patient data had been exposed and may have been stolen.

The forensic investigation and document review were completed on February 2, 2024. The breach notice sent to the Maine Attorney General has the specific types of compromised data redacted but the notice confirmed that names have been exposed along with Social Security numbers. Consumer notifications were mailed on March 18, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Weirton Medical Center, West Virginia

Weirton Medical Center in West Virginia identified suspicious activity within its computer network on January 18, 2024. Systems were immediately secured, and third-party cybersecurity experts were engaged to investigate the breach and determined there had been unauthorized access to the network between January 14, 2024, and January 18, 2024, and files were copied from its systems.

The information involved varied from individual to individual and may have included one or more of the following: name, Social Security number, date of birth, medical information, health insurance information, treatment information, and the balance due on medical bills. While files were confirmed as having been removed from the network, Weirton Medical Center is unaware of any misuse of patient data. Weirton Medical Center said strict security measures were already in place and they have been augmented to prevent similar incidents in the future. Notification letters were sent to the affected individuals on March 18, 2024. The incident has been reported to the HHS’ Office for Civil Rights as affecting 26,793 individuals.

Sycamore Rehabilitation Services, Indiana

Sycamore Rehabilitation Services, Inc. in Danville, IL, has reported a breach of its email system and the exposure of the personal data of 3,414 individuals. The breach was detected on September 21, 2023, with the forensic investigation confirming there had been unauthorized access to its network between July 29, 2023, and August 9, 2023. During that time, there may have been unauthorized access to names, dates of birth, Social Security numbers, driver’s license/state identification numbers, account numbers, routing numbers, medical information, and health insurance information. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services said it had implemented security measures prior to the breach. Multi-factor authentication was enabled on all email accounts, a VPN was required for access to internal resources from outside the organization, critical patches were applied each month, email security solutions were in place, all endpoints were protected with Sentinel One anti-virus, Azure PowerShell access was off by default, and POP/IMAP was disabled by default. Those measures have now been augmented with Proofpoint email scanning and security, Breach Secure Now phishing testing, and DUO MFA on VPN accounts.

The affected individuals were notified by mail on March 1, 2024, and have been offered complimentary credit monitoring and identity theft protection services. Sycamore Rehabilitation Services said the delay in issuing notifications was due to the time taken to investigate the breach and identify the affected individuals.

Plymouth Tube Company, Illinois

Plymouth Tube Company in Warrenville, IL, has identified unauthorized access to its computer network. The forensic investigation confirmed that there was unauthorized access between January 27, 2024, and January 29, 2024, and during that time, the unauthorized actor accessed or acquired files on its servers which included files that contained employee benefit plan data.

The review of the affected files confirmed that 2,652 current and former employees and their dependents had been affected and had one or more of the following compromised: name, date of birth, Social Security number, driver’s license number, and plan information. The affected individuals were notified on March 13, 2024, and complimentary credit monitoring and identity theft protection services have been made available.

The post Valley Oaks Health Reports 50,000-Record Data Breach appeared first on HIPAA Journal.

OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued updated guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of online tracking technologies. The updated guidance is intended to provide greater clarity for HIPAA-regulated entities on the use of these technologies. OCR has not changed its position on the use of these technologies or how HIPAA applies.

Why OCR Issued Guidance on Online Tracking Technologies

OCR first issued the guidance in December 2022 after research into the use of these technologies revealed that most U.S. hospitals had added these technologies on their websites, which transmit user data to third parties such as Meta (Facebook), Google, and others. A variety of user data is collected and transmitted about users’ interactions on websites and apps, and some of that data can include protected health information.

The initial guidance explained that these technologies could not be used by HIPAA-regulated entities unless there was a business associate agreement in place with the provider of the technologies and the disclosures of protected health information are permitted by the HIPAA Privacy Rule. Alternatively, consent must be obtained from individuals before the information is transmitted to third parties. OCR has previously stated that non-compliant use of online tracking technologies is an enforcement priority, and in July 2023, OCR and the Federal Trade Commission (FTC) sent warning letters to around 130 hospitals and telehealth providers about the risks of using these technologies and the potential for impermissible disclosures of PHI.

OCR Sued Over its Tracking Technology Guidance

Since the providers of these technologies typically do not sign business associate agreements with HIPAA-regulated entities and obtaining consent from individuals is costly and challenging, these technologies can generally not be used by HIPAA-regulated entities without risking violating the HIPAA Rules.  The American Hospital Association (AHA) urged OCR to reconsider its guidance, and when OCR failed to do so, AHA filed a lawsuit challenging the legality of the guidance. The AHA maintains that these technologies are critical to the function of websites, and that prohibiting their use ultimately harms healthcare providers and patients. Further, while HIPAA-regulated entities were not permitted to use these technologies, the code remained on many government websites, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites.

Online Tracking Technology Guidance Updated to Clear up Confusion

OCR’s updated guidance provides a general overview of how the HIPAA Rules apply to the use of tracking technologies and includes additional examples of when the code can and cannot be used, tips for complying with HIPAA, and OCR’s enforcement priorities regarding online tracking technologies. In the updated guidance, OCR stressed that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Protected health information is information that relates to the past, present, or future health, health care, or payment for health care, that has identifiers that link that information to an individual or allow that individual to be identified. If any of that information is collected on a web page, the technologies cannot be used without a business associate agreement with the provider of the code and the disclosures must be permitted by the HIPAA Privacy Rule, or consent must be obtained from individuals. Consent cannot be obtained by including information about these disclosures in the Notice of Privacy Practices, via a pop-up on the websites or banner stating that use of the site may involve the disclosure of health information to a third party, or by asking a user to either accept or reject cookies. A valid HIPAA authorization is required.

OCR suggests that if a vendor will not sign a BAA covering the use of the code, then a different vendor should be found that will sign a BAA. Alternatively, a customer data platform vendor could be used, which de-identifies the PHI before the information is sent to a third party. It is not permitted to transfer PHI to a vendor without a BAA even if the vendor claims that they will strip out any identifying information after the disclosure. The collection of PHI is more likely on user-authenticated pages such as patient portals; however, there is the potential for PHI to be disclosed on unauthenticated web pages. For instance, on an appointment booking page that collects no health information, if the user enters their email address and that information is transmitted to a third party, that would be classed as an impermissible disclosure of PHI.

For some web pages, the nature of the visit determines whether HIPAA applies. For instance, if a student is searching for information on oncology services when researching the availability of those services pre- and post-pandemic, the collection and transmission of their IP address and other personally identifiable information to a third party without a BAA is not a HIPAA violation, as HIPAA does not apply as there is no PHI involved. If a patient is visiting the same pages to get a second opinion about their diagnosis or cancer treatment, the transmission of the same data would be a HIPAA violation without a BAA, as that information would be classed as PHI. Other examples have been added to the guidance to make it clear when HIPAA applies and when it does not.

OCR explained its enforcement priorities with respect to online tracking technologies and said it is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. “OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI,” explained OCR in the guidance. “OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.”

The post OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities appeared first on HIPAA Journal.