ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement

Posted by Steve Alder

ReproSource Fertility Diagnostics has proposed a settlement to resolve litigation stemming from a 2021 ransomware attack that potentially resulted in the theft of the sensitive health data of up to 350,000 patients. The Marlborough, MA-based fertility testing laboratory, which is owned by Quest Diagnostics, had its network breached on August 8, 2021. The intrusion was detected on August 10 when ransomware was deployed. The forensic investigation confirmed that the parts of the network that the threat actors could access included files that contained sensitive health information.

The data exposed included names, addresses, phone numbers, email addresses, dates of birth, billing, and health information, such as CPT codes, diagnosis codes, test requisitions, and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians, and for a limited number of individuals, Social Security numbers, financial account numbers, driver’s license numbers, passport numbers, and/or credit card numbers.

While no evidence of data exfiltration was found, data theft could not be ruled out, so ReproSource notified approximately 350,000 individuals on October 21, 2023, and was promptly sued. Two class action lawsuits were consolidated into a single lawsuit as they made similar allegations – that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. The lawsuits alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.

The decision was taken to settle the litigation with no admission of wrongdoing. Under the terms of the settlement, class members may submit claims for up to $3,000 to cover out-of-pocket, unreimbursed losses that are reasonably traceable to the data breach, including up to 8 hours of lost time, three years of credit monitoring services, and a $1 million identity theft insurance policy. Alternatively, class members can claim a cash payment of $50. $1.25 million has been set aside to cover claims, which will be paid pro rata if that total is reached. Class members who were California residents at the time of the breach will be entitled to an additional $50 payment.

The consolidated lawsuit also sought injunctive relief, which included major upgrades to data security to prevent similar cyberattacks and data breaches in the future. The settlement also includes the requirement for ReproSource to make significant improvements to its information security program, including enhancing its monitoring and detection tools. The settlement will need to receive final approval from a Massachusetts judge.

The post ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement appeared first on HIPAA Journal.

What did the HIPAA Omnibus Rule Mandate?

Posted by Steve Alder

The HIPAA Omnibus Rule mandated modifications to the Privacy, Security, and Enforcement Rules in order to adopt measures passed in the HITECH Act, finalized the Breach Notification Rule, and added standards to account for the passage of the GINA Act. The key provisions of the HIPAA Omnibus Rule were:

  • Make business associates of covered entities directly liable for HIPAA compliance.
  • Strengthen the limitations on uses and disclosures of Protected Health Information.
  • Expand individuals’ rights to restrict disclosures of Protected Health Information.
  • Expand individuals’ rights to request copies of their Protected Health Information.
  • Require modifications to – and require redistribution of – Notices of Privacy Practices.
  • Modify the authorization requirements for disclosures of Protected Health Information.
  • The adoption of a four-tired civil monetary penalty structure for violations of HIPAA.
  • The finalization of the Breach Notification Rule and the revised “harm” threshold.
  • The addition of standards to account for the passage of the GINA Act 2008.

What was the HIPAA Omnibus Rule of January 2013?

The HIPAA Omnibus Rule of January 2013 was comprised of four Final Rules which were combined into one Omnibus Rule to reduce the impact of the changes and the number of times covered entities and business associates would need to undertake compliance activities. Although effective in March 2013, some of the changes were already in force due to Interim Rules having been issued following the passage of the HITECH Act in 2009.

For example, an Interim Rule to explain what information the Breach Notification Rule applied to was published in April 2009, followed by a further Interim Rule to implement the breach notification provisions of the HITECH Act in August 2009. The changes attributable to the Genetic Information Nondiscrimination Act (GINA) were published as a Proposed Rule in April 2009, while the proposed modifications to the Privacy, Security, and Enforcement Rules were published in July 2010.

Despite covered entities and business associate having up to four years to prepare for the HIPAA Omnibus Rule mandated changes – and despite the new categories of HIPAA violations to address violations attributable to reasons other than willful neglect – it appears few covered entities and business associates were ready for the Final Omnibus Rule of January 2013. OCR penalties for HIPAA violations doubled over the next five years and have further increased since.

 

What did the HIPAA Omnibus Rule Mandate in Greater Detail

It is worth noting that the HIPAA Omnibus Rule did not mandate all the modifications passed in the HITECH Act, and that there have been changes to the Privacy and Enforcement Rules since the publication of the HIPAA Omnibus Rule of 2013. One of the main provisions of the HITECH Act not mandated by the HIPAA Omnibus Rule was settlement sharing (which is still under discussion), while the Privacy Rule has been amended twice to accommodate other Acts, and the Enforcement Act is amended every year to account for inflationary increases in the penalties for HIPAA violations.

To best explain what exactly did the HIPAA Omnibus Rule mandate in 2013, we need to look into each of the modifications and finalizations individually:

Make business associates of covered entities directly liable for HIPAA compliance.

Prior to the HIPAA Omnibus Rule of 2013, if a business associate violated HIPAA, the covered entity to whom the business associate was providing a service would be liable for the violation as business associates was considered agents of covered entities. By amending Subpart D of the General Rules and §164.500 of the Privacy Rule, business associates of covered entities – and subcontractors of business associates – became directly liable for their own HIPAA violations.

Strengthen the limitations on uses and disclosures of Protected Health Information.

The new limitations on uses and disclosures of Protected Health Information were themselves “limited”. Rather than making widespread changes to the Privacy Rule, the HIPAA Omnibus Rule only gave patients and plan members the right to opt out of fundraising communications and conditioned the sale of Protected Health Information (that is not de-identified) on an authorization signed by the individual who is the subject of the Protected Health Information or their personal representative.

Expand individuals’ rights to restrict disclosures of Protected Health Information.

Individuals already had the right to request restrictions on how their Protected Health Information is used and disclosed, but – prior to the Omnibus Rule – covered entities were not required to agree to the requests. A new clause in §164.522 required covered entities to agree to a request if the request related to withholding payment information from a health plan when an individual or a person on the individual’s behalf other than the health plan has paid for treatment or medical equipment.

Expand individuals’ rights to request copies of their Protected Health Information.

This change to the Privacy Rule required covered entities (and business associates where applicable) to provide electronic copies of Protected Health Information to individuals in the format requested by the individuals where the information was readily available in that format. The Rule change had a considerable amount of flexibility inasmuch as covered entities could offer to provide electronic information in alternate formats or via a hard copy if no suitable electronic format could be agreed.

Require modifications to – and require redistribution of – Notices of Privacy Practices.

The requirement to modify and redistribute Notices of Privacy Practices arose due to the strengthened limitations and the expansion of individuals’ rights being material changes to privacy practices. Although the requirement already existed (in §164.520(c)), the notes accompanying the Omnibus Rule explain how health plans and healthcare providers can comply with the redistribution requirement to avoid unnecessary costs and administrative processes.

Modify the authorization requirements for disclosures of Protected Health Information.

While the Omnibus Rule added the requirement to obtain an authorization prior to the sale of Protected Health Information, other events were removed from the list of uses and disclosures requiring prior authorization. These included seeking a parent’s authorization before disclosing a child’s immunization status to a school and seeking a personal representative’s authorization for the disclosure of Protected Health Information once an individual has been dead for fifty years.

The adoption of a four-tired civil monetary penalty structure for violations of HIPAA.

When HIPAA was passed in 1996, the penalties for violations of HIPAA were capped at $100 per violation up to a maximum of $25,000 per year. In addition, the penalties could only be issued if there was evidence of willful neglect to comply with HIPAA. The HITECH Act introduced a new four-tier penalty structure and increased the amount of civil monetary penalties that could be issued to $50,000 per violation up to a maximum of $1,500,000. The penalties have since further increased.

The finalization of the Breach Notification Rule and the revised “harm” threshold.

Although the Breach Notification Rule had been effective since 2009, the HIPAA Omnibus Rule of January 2013 added new standards to the Breach Notification Rule and amended existing standards in the Privacy and Security Rules to make it clear what constituted a breach and who was responsible for notifying it. The revised harm threshold made it a requirement to prove no harm was likely to occur following a breach if not notifying it to the individual and HHS’ Office for Civil Rights.

The addition of standards to account for the passage of the GINA Act 2008.

The Genetic Information Nondiscrimination Act of 2008 (GINA) made it an offence for health insurance companies and employers to discriminate against individuals based on genetic information. The HIPAA Omnibus Rule added genetic health information into the definition of Protected Health Information and expressly prohibited health plans from using or disclosing genetic information for underwriting purposes.

The Consequences of the HIPAA Omnibus Final Rule

The consequences of the HIPAA Omnibus Final Rule mandate changes were that individuals became more conscious of their HIPAA rights, that the scale of data breaches became more apparent, and organizations began to take HIPAA compliance more seriously. However, more than ten years after the publication of the HIPAA Omnibus Final Rule 2013, there is still a lot more that can be done to educate individuals about their rights, reduce data breaches, and improve compliance.

One of the concerns with regards to the lack of HIPAA compliance is that large scale changes to HIPAA are forecast over the next few years. Organizations that are not complying with HIPAA now will find it harder to comply with HIPAA in the future. This may not only result in financial penalties, but – according to HHS’ new Cybersecurity Strategy – could result in expulsion from Medicare and Medicaid programs for healthcare providers that fail to meet Cybersecurity Performance Goals.

Covered Entities and business associates that have failed to keep up with the changes mandated by the HIPAA Omnibus Final Rule of January 2013 are advised to assess their current privacy and security practices, implement measures to fill any gaps in compliance, and support the measures with comprehensive HIPAA training. Organizations unsure about any shortcomings in compliance or how to address them should seek professional HIPAA compliance advice.

The post What did the HIPAA Omnibus Rule Mandate? appeared first on HIPAA Journal.

HMG Healthcare Data Breach Affects 80,000 Individuals

Posted by Steve Alder

HMG Healthcare, LLC, a Texas-based healthcare services provider, has recently confirmed that the protected health information of up to 80,000 individuals was exposed and potentially stolen in a cyberattack that was detected in November 2023.

A forensic investigation was launched after suspicious network activity was detected, which confirmed that unauthorized individuals first gained access to its network in August 2023. The investigation also confirmed that unencrypted files were copied but it “was not feasible” to identify exactly what types of information were obtained by the hackers. It is unclear why that determination was made, such as whether there was insufficient logging or if a comprehensive review would prove too timely and costly. HMG Healthcare said the files that were removed from its network likely contained information such as names, dates of birth, contact information, general health information, medical treatment information, Social Security numbers, and/or employment records.

The exact nature of the attack was not disclosed; however, HMG Healthcare did explain that it “worked diligently to ensure the stolen files were not further shared by the hackers,” which suggests that the hacking group behind the attack attempted to extort HMG Healthcare and payment was made to prevent the publication/sale of the stolen data. It is currently unclear which group was behind the attack.

The breach has affected employees and residents at 40 affiliated nursing facilities in Texas and Kansas:

  • Accel at College Station
  • Arbor Court Retirement Community at Alvamar (Independent Living)
  • Arbor Court Retirement Community at Salina (Independent Living)
  • Arbor Court Retirement Community at Topeka (Independent Living)
  • Arbrook Plaza
  • Cimarron Place Health & Rehabilitation Center
  • Crowley Nursing and Rehabilitation
  • Deerbrook Skilled Nursing & Rehab
  • Forum Parkway Health & Rehabilitation
  • Friendship Haven Healthcare & Rehab Center
  • Green Oaks Nursing and Rehabilitation
  • Gulf Pointe Plaza
  • Gulf Pointe Village (Assisted Living Only)
  • Harbor Lakes Nursing and Rehabilitation Center
  • Hewitt Nursing and Rehabilitation
  • Holland Lake Rehabilitation and Wellness Center
  • Lone Star Rehabilitation and Wellness Center
  • Methodist Transitional Care Center
  • Mission Nursing and Rehabilitation Center
  • Northgate Plaza (Legacy)
  • Park Manor of BeeCave (Legacy)
  • Park Manor of Conroe
  • Park Manor of CyFair
  • Park Manor of Cypress Station
  • Park Manor of Humble
  • Park Manor of Mckinney (Legacy)
  • Park Manor of Quail Valley
  • Park Manor of South Belt
  • Park Manor of The Woodlands
  • Park Manor of Tomball
  • Park Manor of Westchase
  • Pecan Bayou Nursing and Rehabilitation
  • Red Oak Health and Rehabilitation Center
  • Silver Spring Health & Rehabilitation Center
  • Smoky Hill Health and Rehabilitation
  • Stallings Court Nursing and Rehabilitation
  • Stonegate Nursing and Rehabilitation
  • Tanglewood Health and Rehabilitation
  • Treviso Transitional Care
  • Willowbrook Nursing Center

The substitute breach notice on the HMG Healthcare website advises the affected individuals to monitor their account statements and credit reports to identify any suspicious activity but makes no mention of credit monitoring and identity theft protection services being offered. HMG Healthcare said it has increased its data security protocols to prevent similar cyberattacks and data breaches in the future.

The post HMG Healthcare Data Breach Affects 80,000 Individuals appeared first on HIPAA Journal.

Is Google Pay HIPAA Compliant?

Posted by Steve Alder

Google Pay is not HIPAA compliant because the text of HIPAA exempts entities from HIPAA compliance if they engage in “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.” This exemption was confirmed by the Department of Health and Human Services in the preamble to the Final Omnibus Rule in 2013.

Because of the exemption, there is no requirement to make Google Pay HIPAA compliant or enter into a Business Associate Agreement with Google before the service can be used by covered entities and business associates to collect payments from patients and plan members. Covered entities and business associates can also use Google Pay to conduct B2B financial transactions.

What is Google Pay?

Google Pay is a digital payment facilitator. The service enables users to make payments from cards stored in their Google Wallet online, in app, or in-store from a mobile phone, tablet, or Smartwatch with Near-Field Communication (NFC) capabilities. Users can also use the service to send and receive peer-to-peer payments or to transfer money to or from a bank account similar to PayPal.

For businesses, Google Pay provides a convenient and secure way for customers to pay for goods and services. The Google Pay API can be used to set up an autofill checkout for websites and apps, while in-store NFC readers eliminate the necessity for customers to carry physical cards. They can simply tap an app on their phone, tablet, or Smartwatch to complete a payment within seconds.

How Does Google Pay Work?

A further reason why it is not necessary to make Google Pay HIPAA compliant is the way the service “tokenizes” card information stored in a Google Wallet. When a user adds a card to their Google Wallet, Google Pay creates a unique Dynamic Primary Account Number (DPAN) and it is this number – rather than the card number – that is transmitted during a payment transaction.

Although the last four numbers of each payment card are visible in the Google Wallet, Google Pay does not transmit any information that could be used to identify a customer. For this reason, Google would not qualify as a business associate even if the service was not exempted by HIPAA – because the payment part of the service does not create, receive, store, or transmit Protected Health Information.

What Does HIPAA Say about Payment Facilitators?

Payment facilitators such as Google Pay are not referenced in HIPAA because they did not exist at the time. However, §1179 of the Act exempts payment processing and associated transactions from HIPAA compliance – an exemption that was confirmed in the preamble to the Final Omnibus Rule in 2013, which states:

“The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer.”

However, while the processing element of a financial transaction is exempt from HIPAA, any PHI maintained to support, manage, or reconcile payments is still subject to the HIPAA’s privacy and security standards. Due to this requirement, covered entities and business associates that conduct B2B financial transactions using Google Pay must not store PHI in a Google Wallet.

Is Google Pay HIPAA Compliant? Conclusion

Google Pay is not HIPAA compliant, but it does not need to be. The service does not communicate any individually identifiable health information or – because of the tokenization process – any information that could be used to identify an individual. In addition, the service is exempted from HIPAA compliance by the HIPAA Act, so there is no need to make Google Pay HIPAA compliant.

What covered entities and business associates need to be aware of is potential compatibility issues with any devices or systems Google Pay is integrated with, the compliance of third party integrations (where necessary), and security awareness among workforce members, patients, and plan members to ensure PHI is not disclosed impermissibly or without authorization during financial transactions.

It is also important that covered entities and business associates conducting B2B financial transactions via Google Pay do not store PHI in a Google Wallet as Google Wallet is not HIPAA compliant. Covered entities and business associates that are uncertain about integrations with Google Pay, third party vetting, or security awareness should seek professional compliance advice.

The post Is Google Pay HIPAA Compliant? appeared first on HIPAA Journal.