LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution

Posted by Steve Alder

An affiliate of the notorious LockBit ransomware group has been sentenced in Canada to almost four years in jail and has been ordered to pay more than $860,000 in restitution. Mikhail Vasiliev, 34, is a Russian-Canadian national who was born in Moscow and moved to Canada more than 20 years ago. During the COVID-19 pandemic, Vasiliev became an affiliate of the LockBit ransomware operation, one of the most prolific ransomware-as-a-service groups over the past few years. Around 18 months ago, Vasiliev was arrested following a raid of his home in Bradford, Ontario. The search of his property uncovered a list of prospective and historical victims, instructions on how to deploy LockBit ransomware, the source code of the ransomware, the control panel used to deliver the ransomware, and screenshots of conversations with a core member of the LockBit Group – LockBitSupp – on the Tox messaging platform.

Vasiliev admitted to being an affiliate of the LockBit group between 2021 and 2022 and having conducted attacks on businesses in Saskatchewan, Montreal, and Newfoundland, from whom he stole data, encrypted files, and demanded ransom payments. Vasiliev pleaded guilty to eight counts, including cyber extortion, mischief, and weapons charges. Vasiliev has also been under investigation by law enforcement in the United States for around two years, and last month, the U.S. Department of Justice charged Vasiliev with conspiracy to intentionally damage protected computers and to transmit ransom demands. Vasiliev has consented to extradition to the United States and his extradition is pending. If convicted in the United States, Vasiliev faces a maximum sentence of five years in jail. The DOJ also announced charges against four other individuals suspected of working with the LockBit group.

The LockBit group is alleged to have conducted over 2,000 ransomware attacks in the United States alone and generated more than $144 million in ransom payments in its four years of operation. Several healthcare organizations have fallen victim to LockBit ransomware attacks including Capital Health in New Jersey, Saint Anthony Hospital in Chicago, and Varian Medical Systems in California. In February 2024, the group’s infrastructure was seized as part of an international law enforcement operation, and three individuals suspected of involvement with the operation were arrested in Poland and Ukraine. A few days later, the U.S. State Department announced rewards of up to $15 million for information about the leaders of the group and any information that could lead to the arrest of any individual who participated in the LockBit operation. The LockBit group restored its data leak site within a week of the takedown, set up new infrastructure, and started listing new victims on its data leak site.

The post LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution appeared first on HIPAA Journal.

HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds

Posted by Steve Alder

Audits conducted by the Department of Health and Human Services Office of Inspector General (HHS-OIG) of states that claim Medicaid school-based costs with the assistance of contractors have revealed some states have claimed unallowable federal funds due to their contractors improperly conducting random moment time studies (RMTSs). Pennsylvania is the latest state to be audited by HHS-OIG, which found that approximately $590 million was claimed in federal Medicaid payments for school-based services between July 1, 2015, and June 30, 2019, $551.4 million of which was improperly claimed.

For the audit, HHS-OIG reviewed a stratified random sample of 310 random moments, each of which was coded as a health service or administrative activity. HHS-OIG also looked at the methods Pennsylvania used to allocate health services costs to Medicaid.

Based on the sample, HHS-OIG estimated that Pennsylvania claimed $182.5 million in unallowable Federal funds because it did not support that all moments used in RMTSs and coded as Medicaid-eligible were actually for Medicaid-eligible health services or Medicaid administrative activities. Pennsylvania also improperly claimed $368.9 million when it used unsupported ratios to allocate costs to Medicaid. The RMTSs conducted by contractors for Pennsylvania did not cover all days worked by staff members because they were not conducted for the first month of the school year.

HHS-OIG said that the improper claims were due to complex cost allocation methods that were developed by the state and its contractor which were difficult or impractical to support with documentation, or that CMS guidance was not followed. HHS-OIG recommended that the state refund the $182.5 million as these funds were used for unsupported Medicaid-eligible health services and Medicaid administrative activities. HHS-OIG also recommended that the state either support or refund the $368.9 million, as these funds were claimed using an unsupported cost allocation method. HHS-OIG also provided guidance to the state to help with the preparation of accurate and supportable claims.

Pennsylvania agreed with the guidance but disagreed with the monetary and procedural recommendations, specifically disagreeing with the HHS-OIG finding that the moments were not supported as Medicaid-eligible. Pennsylvania claimed that it was not required to provide documentation other than what RMTS participants provided and that it was not responsible for ensuring that all service providers were appropriately licensed. Pennsylvania also claimed that the ratios it used for allocating costs to Medicaid are accurate.

The post HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds appeared first on HIPAA Journal.

What is an HHS OIG Compliance Program?

Posted by Steve Alder

An HHS OIG compliance program consists of best practices that should be included in an integrated healthcare compliance program to avoid violating fraud and abuse laws enforced by the Department of Health and Human Service (HHS) Office of Inspector General (OIG). Adding HHS OIG compliance best practices to an integrated program not only helps avoid penalties for HHS OIG compliance failures, but may also improve compliance with the integrated program.

Integrated healthcare compliance programs are programs that combine some or all applicable healthcare rules, regulations, and standards into a single compliance program. For example, a healthcare facility might combine CMS’ Emergency Preparedness Rule (81 FR 63860) with OSHA’s Emergency Planning Regulation (§1910.38) and HIPAA’s Contingency Plan Standard (§164.308(a)(7)) to comply with all three requirements via a single activity.

Although integrated healthcare compliance programs can be complicated to develop and keep up to date, they have multiple benefits. In addition to reducing the compliance burden (for example, by reducing the three compliance requirements above to just one), it is also simpler to train workforce members on one integrated compliance program – which has the secondary benefit of simultaneously complying with the CMS, OSHA, and HIPAA training requirements.

What Does an HHS OIG Compliance Program Consist Of?

There is no one-size-fits-all HHS OIG compliance program because some healthcare facilities might not conduct all the activities covered by fraud and abuse laws, while other healthcare facilities might outsource some activities to a third party (i.e., claims and billing) – in which case the third party is liable for compliance violations. However, there are five main fraud and abuse laws most healthcare organizations have to consider in an HHS OIG compliance program:

The False Claims Act

The False Claims Act protects the government from being overcharged for goods or services. In the context of an HHS OIG compliance program, it is a violation of the False Claims Act to submit claims for payment to Medicare, Medicaid, or any other HHS program that a healthcare facility knew – or should have known – were fraudulent. For this reason, it is important to monitor claims and billing activities – even when these activities are outsourced to a third party.

The penalties for violations of the False Claims Act vary depending on whether HHS OIG considers violations to be civil or criminal offenses. HHS OIG has the authority to impose fines of up to $27,894 per civil violation (March 2024) and up to three times the amount falsely claimed from HHS programs. Criminal violations are referred to the Department of Justice, who can pursue fines of up to $500,000 per violation and jail terms of up to five years per violation.

The Anti-Kickback Regulations

In addition to an HHS OIG compliance program consisting of measures to prevent fraudulent billing events, a program should also include measures to prohibit the receipt of – or payment for – kickbacks to induce referrals for items and services reimbursable by an HHS program. HHS OIG considers kickbacks to not only be monetary, but also “in-kind remunerations” such as cost-sharing waivers, shares, subsidies, free items, space, equipment, and services.

The important thing for healthcare facilities to be aware of with regards to the anti-kickback regulations is that both parties involved in a kickback transaction can be found guilty of a violation (i.e., the payer and the recipient of the kickback). In addition, as with violations of the False Claims Act, the penalties for violating the anti-kickback regulations can be criminal and civil – although in this case, the maximum criminal fine is $100,000 per violation.

The Stark Law

The Stark Law, also known as the Physician Self-Referral Law, prohibits physicians from referring patients to receive “designated health services” when the physician or an immediate family member has a financial interest in the designated health service. It is important to be aware the term designated health services not only relates to the provision of treatment, but can also refer to the provision of therapy, medical items, and outpatient prescription drugs.

Both the physician that violated the Law and the health service that benefitted from the violation are considered liable for the violation by HHS OIG. Self-referring physicians can be fined up to $15,000 per violation (or up to $100,000 if the violation is considered an attempt to circumnavigate a criminal anti-kickback regulation), while the health service will have to refund up to three times the amount of any payments received from an HHS healthcare program.

The Exclusion Statute

The Exclusion Statute requires HHS OIG to exclude individuals and organizations from participating in HHS programs if they are found guilty of Medicare or Medicaid fraud, patient abuse or neglect, intentionally violating the anti-kickback regulations, or unlawfully manufacturing, distributing, prescribing, or dispensing controlled substances. HHS OIG also has the discretionary authority to exclude individuals and organizations for misdemeanors.

Being excluded from participating in HHS programs not only means they cannot bill HHS directly. It also means they cannot bill HHS indirectly by providing goods or services via a third party healthcare facility. To make it harder to circumnavigate the Statute, third party healthcare facilities are prohibited from – and can be fined for – contracting goods or services from an individual or organization that appears on the HHS OIG Exclusions List.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

EMTALA requires healthcare facilities that participate in HHS programs to conduct a medical screening examination on any individual requesting emergency care. If the examination identifies an emergency medical condition, the facility must stabilize the individual and provide treatment until the emergency medical condition is resolved. If the facility does not have the capability to treat the individual, it must transfer the individual to a facility that can provide treatment.

Healthcare facilities that fail to conduct a medical screening examination, or who fail to accept an individual transferred from another healthcare facility for emergency treatment, can be fined up to $129,233 and added to the HHS OIG Exclusions List. Individuals to whom a screening or treatment is denied can also take civil action in some states, whereas in other states conditions may apply with regards to the provision of emergency labor and psychiatric treatments.

What are HHS OIG Compliance Best Practices?

Similar to an HHS OIG compliance program, there are no one-size-fits-all HHS OIG compliance  best practices. In order to determine what HHS OIG compliance best practices should be included in a compliance program – whether an integrated compliance program or not – healthcare facilities should assess their exposure to violations of all applicable fraud and abuse laws, and develop policies and procedures to mitigate the risk of a violation occurring.

Recommendations for assessing the risk of an HHS OIG violation include auditing HHS claims and billing processes – even when outsourced to a third party – in order to identify potential vulnerabilities, irregularities, or opportunities for fraud. There is HHS OIG-issued software that can help with the audit process, but smaller healthcare facilities might find it quicker to conduct an audit manually, rather than work out how to use the software on smaller data sets.

One of the most important HHS OIG compliance best practices that all healthcare providers should integrate into a compliance plan is an HHS OIG Background Check. Policies should be put in place to check the HHS OIG Exclusions List before any new hire or supplier is engaged, while procedures should exist to periodically recheck the Exclusions List due to the length of time it can take for an individual or organization under investigation to be added to the Exclusions List.

With regards to EMTALA, it is a best practice for qualifying healthcare facilities to train members of the workforce on what medical conditions qualify for mandatory emergency screening and/or treatment, and when exceptions apply – either due to location, medical discipline, or the professional affiliation of healthcare workers. EMTALA can have several gray areas, so it may be important HHS OIG compliance best practices are enforced when EMTALA is applicable.

The Benefits of HHS OIG Compliance Risk Management

The benefits of HHS OIG compliance risk management are that healthcare facilities mitigate the risk of an HHS OIG violation – reducing the chance of a fine, criminal conviction, or private action by an individual that has been denied emergency care. Even when these consequences of an HHS OIG violation do not happen, healthcare facilities may be required to comply with a Corporate Integrity Agreement – which can be costly to comply with as well as being disruptive.

However, HHS OIG compliance risk management does not have to be particularly complicated. It has already been demonstrated how combining multiple compliance requirements into one integrated healthcare compliance program can reduce the compliance burden and help healthcare facilities save time and money – and adding HHS OIG compliance best practices to an existing integrated healthcare compliance program should be equally as beneficial.

For example, most Medicare Part D and Medicare Advantage providers already have to conduct claims and billing audits as a condition of participation in Medicare. Similarly, most states have laws that require healthcare facilities to conduct Level 2 background checks on new employees (i.e., professional license verification, sex offenders list, etc.) – so adding one more background check (the HHS OIG Exclusions List) is barely going to increase the compliance burden.

Healthcare facilities that are unsure about which fraud and abuse laws apply to their activities (including outsourced activities) and how to comply with them – or when exceptions apply to certain activities under the Safe Harbor regulations – should contact HHS OIG for advice. Alternatively – or to find out more about developing an integrated healthcare compliance program – healthcare facilities can seek independent advice from a compliance professional.

The post What is an HHS OIG Compliance Program? appeared first on HIPAA Journal.

Humana Reports Mailing Errors Affecting More than 10,000 Members

Posted by Steve Alder

Three mailing error incidents have resulted in the impermissible disclosure of the PHI of more than 10,000 Humana members. Data breaches have also recently occurred at KMJ Health Solutions, Jewish Home Lifecare, and Lake of the Woods County Social Services.

Insurance ACE/Humana Inc.

The Kentucky-based health insurance provider Humana Inc. has recently disclosed three separate mailing error incidents that have resulted in the impermissible disclosure of the protected health information of 10,688 of its members. On December 8, 2023, a programming error resulted in Explanation of Payment documents intended for providers being sent to an incorrect address. The documents included first and last names, Humana ID numbers, provider names, dates of service, and claim payment information.

On December 14, 2023, large print/braille health plan communications were mailed to incorrect recipients. An error was made when fixing an unrelated coding issue that added a date/time stamp to the naming convention, which was not a unique identifier. As a result, the system began overwriting files as duplicates, which resulted in members receiving another member’s letter. The information impermissibly disclosed included first and last names, addresses, Humana ID numbers, provider names, dates of service, claim payment information, prescription medication information, and copay and premium information.

On January 12, 2024, Humana’s printing vendor in Louisiana, Broadridge Output Solutions, Inc., experienced a printing error that caused explanation of benefits information of Humana members to be printed on the reverse of other members’ statements. The information impermissibly disclosed included names, claim information, provider name, gender, copay information, deductible and coinsurance information. Humana said all of the errors have been rectified and it is unaware of any misuse of members’ information.

KMJ Health Solutions

KMJ Health Solutions, a Michigan-based provider of online signout and charge capture systems, has reported a breach of the protected health information of 2,191 individuals. On November 19, 2023, KMJ Health Solutions identified unauthorized access to the server that hosts its eDocList system. The attacker used ransomware to encrypt files and may have obtained the data of some of its clients. The threat actor first gained access to the server on July 1, 2023. KMJ Health Solutions notified the affected clients on or around January 11, 2024.

One of the affected clients was Saint Joseph’s Medical Center in New York. The information potentially compromised included names, dates of birth, medical record numbers, diagnoses, laboratory results, dates of service, provider names, medications, and/or treatment information. Saint Joseph’s sent notifications to the affected individuals on March 4, 2024, and has confirmed that it no longer uses KNJ Health Solutions. When business associates experience data breaches, notifications may be issued by the business associate, their covered entity clients, or a combination of the two. It is therefore unclear at this stage how many individuals in total have been affected.

Jewish Home Lifecare

Jewish Home Lifecare, Inc., a New York senior health care system, identified unusual activity in its computer systems on January 7, 2023, and assisted by computer forensics experts, determined that there had been unauthorized access to its systems and the hackers potentially viewed or obtained patient data. The information exposed included names, addresses, dates of birth, Social Security numbers, payment card information, financial account information, passport numbers, medical record information, and medical treatment information. Jewish Home Lifecare has reported the incident to the HHS Office for Civil Rights as affecting 501 individuals. 501 is a placeholder often used to meet breach reporting requirements when the total number of affected individuals has yet to be confirmed.

Lake of the Woods County Social Services

Lake of the Woods County Social Services in Minnesota has reported a data breach that has affected individuals served by the County Social Services Department and their household members. On November 14, 2023, the County’s cybersecurity solutions detected and blocked a ransomware attack. While file encryption was prevented, the forensic investigation confirmed there was unauthorized access to its systems between November 14 and November 15, 2023, and data was stolen in the attack.

A ransom demand was received, but the County refused to pay to have the stolen data deleted, consistent with the advice of the FBI. Some of the stolen data was subsequently posted on the dark web. The information compromised in the attack included the following: Name, in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account information, payment card information, information related to medical condition, treatment or diagnosis, medications, names of healthcare providers, information related to services individuals received from the County Social Services Department, such as locations of service, dates of service, client identification number or unique identifiers related to services provided to you, insurance identification number, and/or insurance information. For a limited number of individuals, the data included mental health reports and/or username(s) and password(s) used to access online accounts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 537 individuals.

The post Humana Reports Mailing Errors Affecting More than 10,000 Members appeared first on HIPAA Journal.

HHS-OIG Agrees $49,000 Settlement with North Carolina Hospital to Resolve Alleged EMTALA Violation

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to a settlement with UNC Health Chatham Hospital that resolves an alleged violation of the Emergency Medical Treatment and Labor Act (EMTALA).

EMTALA was enacted in 1986 to ensure public access to emergency services regardless of an individual’s ability to pay, and EMTALA applies to all hospitals that offer emergency services through a dedicated department. There are also specific obligations for hospitals that participate in Medicare that offer emergency services, including the requirement to provide a medical screening examination (MSE) when a request is made for examination or treatment for an emergency medical condition.

On January 16, 2022, a 62-year-old patient presented to Chatham’s Emergency Department (ED) via emergency medical services (EMS). Before arriving at the hospital, EMS called in a report about the patient’s condition to the ED and was told that a cardiologist was not available, and the ED could not manage the patient.

EMS proceeded to take the patient to Chatham’s ED and was met in the ambulance bay by a nursing employee, who spoke to the EMS staff and the ambulance left without the patient receiving an MSE. HHS-OIG determined that Chatham violated EMTALA by failing to provide an appropriate EMS, within the capabilities of its staff and facilities. Under the terms of the settlement, Chatham agreed to pay a $49,000 penalty.

The post HHS-OIG Agrees $49,000 Settlement with North Carolina Hospital to Resolve Alleged EMTALA Violation appeared first on HIPAA Journal.