U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

US Fertility LLC, the operator of more than 100 fertility clinics across the United States, has proposed a $5.75 million settlement to resolve a class action lawsuit that was filed in response to a data breach that exposed the data of around 900,000 patients.

U.S. Fertility announced in November 2020 that hackers had gained access to its network and installed malware (ransomware) that rendered certain systems inaccessible. The breach was detected on September 14, 2020; however, the hackers first gained access to the network on August 12, 2020. Before encrypting files, the hackers exfiltrated sensitive patient data including names, addresses, dates of birth, MPI numbers, Social Security numbers, medical information, and financial information.

A class action lawsuit was filed that alleged U.S. Fertility was negligent by failing to implement reasonable and appropriate cybersecurity measures to protect highly sensitive patient data from unauthorized access. Had those measures been implemented, the breach could have been prevented or its severity would have been severely reduced. U.S. Fertility maintains there was no wrongdoing but decided to settle the lawsuit.

Under the settlement terms, all class members are entitled to a $50 cash payment. Class members whose data was stolen from a California clinic will be entitled to claim an additional cash payment of $200. Claims may also be submitted for up to 4 hours of lost time at $25 per hour, and unreimbursed out-of-pocket losses can be claimed and will be paid up to a maximum of $15,000 per claimant. Claims for reimbursement of losses must be supported by receipts, account statements, IRS documents, police reports, FTC reports, professional invoices, and other documentation. The cash payments may be reduced and paid pro-rata depending on the number of claims submitted.

Individuals who wish to object to the settlement or exclude themselves have until February 20, 2024, to do so. All claims must be submitted by March 19, 2024. The final settlement hearing has been scheduled for April 18, 2024.

The post U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

  • Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  • Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
  • Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
  • Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.