New Federal Data Privacy and Protection Legislation Introduced

Posted by Steve Alder

A federal data privacy law is inching closer to reality, with House and Senate Committee leaders reportedly having reached an agreement on data privacy measures, and have proposed the American Privacy Rights Act of 2024.

In July 2022, the American Data Privacy and Protection Act (ADPPA) was proposed. ADPPA was a bipartisan effort to introduce much-needed protections for consumer data and, if enacted, would regulate how organizations could collect and use consumer data. The landmark federal data privacy bill was the first federal data privacy legislation to pass committee markup, succeeding where many attempts over the past two decades have failed.

In the absence of a federal data privacy law, many states have introduced their own laws, with California being the first state to introduce a comprehensive consumer data privacy law, followed by 14 others: Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire. Seven other states have introduced narrow privacy laws: Maine, Michigan, Minnesota, Nevada, New York, Vermont, and Washington, and legislation is pending in several other states. The problem with this patchwork of data privacy laws is it makes compliance complex for companies that operate in more than one state, and individuals living just a few miles apart over a state line could have vastly different rights and protections.

ADPPA underwent some revisions and advanced to the House floor, but Republicans and Democrats were unwilling to compromise on key parts of the bill. One of the key sticking points was the preemption of state laws, with ADPPA setting a ceiling rather than a floor for data privacy and protection, with individual states unable to improve the protections from the basic protections set by ADPPA. That would mean that states such as California would have to water down the protections that have been in place for state residents for several years.

Another sticking point was the private cause of action, with Democrats backing a private cause of action that allowed individuals to bring lawsuits for privacy violations, whereas Republicans largely opposed a private cause of action. Last Congress, leaders of the House Committee on Energy and Commerce and Senate Commerce Committee agreed to amendments to ADPPA that would see the federal privacy law pre-empt some state laws and include limited privacy cause of action; however, even with this proposal, there was insufficient support. Californian Democrats opposed the preemption of state laws and refused to give their support, and former House Speaker Nancy Pelosi and Sen. Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation, also refused to support ADPPA. As such, the proposal was rejected and ADPPA was not reintroduced to Congress.

According to a press release issued by Rep. Cathy McMorris Rodgers (R-WA), Chair of the House Energy and Commerce Committee, a deal has been agreed on new federal data privacy legislation – The American Privacy Rights Act of 2024, the successor of ADPPA. “This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Chairs Rodgers and Cantwell. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

“This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act,” said Chair Rodgers. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.”

A discussion draft of the American Privacy Rights Act of 2024 is available here,  and a section-by-section discussion draft can be downloaded here.

The post New Federal Data Privacy and Protection Legislation Introduced appeared first on HIPAA Journal.

Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated

Posted by Steve Alder

A lawsuit against CareFirst BlueCross BlueShield that was filed in response to a 2014 data breach has had a contract class certified by a federal judge, 9 years after legal action was initiated. The lawsuit can now proceed and more than 1 million plan members are a step closer to obtaining damages. In June 2014, hackers gained access to CareFirst systems, which contained the data of around 1.1 million plan members; however, the intrusion was not detected for several months. In response to major data breaches at Anthem Inc., Premera, Excellus, and Community Health Systems, CareFirst conducted a review of its systems which reviewed there had been unauthorized access to one of its databases.

CareFirst announced the data breach in May 2015 and explained that a single database was compromised that stored data that members and other individuals enter to access CareFirst’s websites and online services. The compromised data included names, birth dates, email addresses, and subscriber ID numbers, but no highly sensitive information such as Social Security numbers, financial information, or health information.

A lawsuit – Chantal Attias, et al. vs. CareFirst  – was filed in the U.S. District Court for the District of Columbia shortly after the notification letters were mailed that alleged injuries had been suffered as a result of the breach. The lawsuit, which named seven policyholders as plaintiffs, alleged breach of contract and violations of the Consumer Protection Acts in Maryland and Virginia. The lawsuit was dismissed in 2016 due to a lack of standing, as the plaintiffs failed to allege a concrete, identifiable injury had been sustained as a result of the breach. The ruling was appealed, and the District Court’s ruling was overturned. In 2018, the Supreme Court declined a review of the case, which was referred back to the District Court, then followed several years of back-and-forth litigation. In 2022, the plaintiffs moved to certify three classes, one for each cause of action; however, in March 2023, District Court Judge Christopher Cooper denied the plaintiffs’ motion to certify two consumer classes and one contract class without prejudice, allowing the plaintiffs to file a renewed and modified motion which they did.

In late 2023, CareFirst’s motion for summary judgment was partially granted, and the claims under the consumer protection statutes in Maryland and Virginia were dismissed. The court found that the plaintiffs could not show there had been any identity theft, and under Washington D.C. law, mitigation expenses incurred to abate the risk of future fraud do not qualify as actual damages, therefore the plaintiffs would only be able to recover nominal damages.

On March 29, 2023, after careful consideration and a hearing on the matter, Judge Cooper found that certification of a contract class was warranted. “The standing issue that prevented the Court from certifying the last go around has since dissolved because, as all sides agree, each member of the proposed class has allegedly suffered a concrete injury based on CareFirst’s supposed breach of its contractual obligation to safeguard its customers’ data—regardless of whether they sustained an additional, tangible injury due to the data breach,” wrote Judge Cooper in his ruling.

The contract class consists of all individuals in the District of Columbia, Maryland, or Virginia who purchased or possessed health insurance from CareFirst, had their sensitive data exposed in the data breach, and were notified about that breach by CareFirst in May 2015.

The post Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated appeared first on HIPAA Journal.

Data Breach at New York Medical Billing Service Provider Affects 284K Individuals

Posted by Steve Alder

M&D Capital Premier Billing in Queens, NY, has announced a breach of the protected health information of 284,326 individuals. Data breaches have also been reported by Tri-City Healthcare District and Dental Health Services in California, and Ethos (Southwest Boston Senior Services) in Massachusetts.

M&D Capital Premier Billing

M&D Capital Premier Billing, a Queens, NY-based billing service provider, has notified 284,326 individuals about a cybersecurity incident identified on July 8, 2023. Suspicious activity was detected within its network and third-party cybersecurity specialists were engaged to investigate the nature and scope of the unauthorized activity. The forensic investigation confirmed that an unauthorized third party gained access to its network on June 20, 2023, and maintained access until July 8, 2023.

During those three weeks, protected health information provided by its covered entity clients may have been viewed or acquired. That information may have included names, addresses, dates of birth, Social Security numbers, financial information, medical billing information, insurance information, and medical information such as diagnoses, medication, and treatments. M&D Capital Premier Billing said it has reviewed its existing policies and procedures and has implemented additional administrative and technical safeguards to help prevent future attacks. The affected individuals have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost.

Ethos (Southwest Boston Senior Services)

Ethos, aka Southwest Boston Senior Services, has recently announced a cybersecurity incident that occurred on November 18, 2023, that exposed the protected health information of 14,503 individuals. On March 13, 2024, it was confirmed that protected health information had potentially been accessed or acquired in the incident. For most of the affected individuals, the exposed data included names, addresses, medical insurance information, and health and treatment information. A small group of affected individuals also had their Social Security numbers exposed.

Contact information has now been verified, which will allow individual notifications to be mailed to the affected individuals. Ethos did not state in its website notification whether credit monitoring and identity theft protection services are being offered. The notification letters will explain the steps that affected individuals can take to monitor and protect their information.

Tri-City Healthcare District

Tri-City Healthcare District in California has notified 7,847 individuals about the exposure of some of the protected health information. On November 9, 2023, unusual activity was detected in its systems, which disrupted access to those systems. The forensic investigation confirmed that an unauthorized third party gained access to its network on November 8, 2023, and may have viewed or exfiltrated files containing patient data.

The review of the affected files was completed on or around March 7, 2024, and confirmed that names and Social Security numbers had been exposed. Notification letters were sent to the affected individuals on April 4, 2024, and complimentary identity theft protection services have been offered. Tri-City Healthcare District said it has implemented additional security measures to further harden security and prevent similar incidents in the future.

Dental Health Services

Dental Health Services, a Californian provider of dental health plans to individuals in California, Oregon, and Washington, has notified certain plan members about an impermissible disclosure of some of their protected health information. On or around February 7, 2024, an error resulted in monthly invoices mistakenly being emailed to certain employer group customers that contained plan member data. While the invoices were encrypted and password protected, before the error was identified, the email recipients were sent the encryption password in a separate email, which allowed the invoices to be viewed.

The invoices contained the impacted members’ names, dates of birth, member identification numbers, eligibility dates, plan types, and premium amounts due. Dental Health Services has received assurances from all recipients of the emails that the incorrectly disclosed invoices have been deleted. Due to the nature of the disclosed information, Dental Health Services does not believe the data will be misused.

The post Data Breach at New York Medical Billing Service Provider Affects 284K Individuals appeared first on HIPAA Journal.