Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy

Posted by Steve Alder

Connexin Software, which does business as Office Practicum, has proposed a $4 million settlement to resolve a consolidated class action lawsuit stemming from a 2022 data breach that affected almost 3 million individuals. Office Practicum provides pediatric-specific health information technology solutions to healthcare providers, including electronic health records, practice management software, billing services, and business analytics tools.

On August 26, 2022, Connexin Software said it detected a data anomaly within its internal network and the subsequent forensic investigation confirmed that an unauthorized third party had obtained an offline set of patient data that was used for data conversion and troubleshooting. The compromised data included the protected health information of 2,675,934 patients, the majority of whom were children. The compromised data included names, guarantor names, parent/guardian names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.

Several class action lawsuits were filed against Connexin Software shortly after the company announced the breach, nine of which were consolidated into a single class action lawsuit as they all made similar claims, including an alleged failure to implement reasonable and appropriate security measures to protect patient data. Children’s data is particularly valuable to cybercriminals as it can be misused for years. The affected individuals suffered an invasion of privacy and immediate and long-term risks of identity theft, fraud, medical identity theft, misappropriation of health insurance benefits, and other misuses. The plaintiffs argued that the threat actor behind the attack could also sell the data of children to human trafficking groups.

The settlement is in the best interests of all parties concerned. The plaintiffs will be able to claim for reimbursement of out-of-pocket expenses and Connexin Software will avoid further legal costs. Connexin Software explained to the judge when filing the preliminary settlement that if the lawsuit had progressed much further, the company would have no option other than to file for bankruptcy protection.

All parties have agreed to the proposed settlement, which has received preliminary approval from a Pennsylvania federal court judge. The plaintiffs and class members have been given three options: Expanded identity theft protection services for three years and coverage by a $1,000,000 identity theft insurance policy; reimbursement for unreimbursed out-of-pocket expenses up to a maximum of $7,500 per class member; or a flat-fee cash payment, the amount of which will be determined based on the claims received. Connexin Software has also agreed to invest $1.5 million in its information security program to better protect patient data in the future. Attorneys for the plaintiffs and class members are seeking around $1.3 million in fees.

“The parties were well-aware of each other’s strengths and weaknesses by virtue of the court’s ruling on Connexin’s partial motion to dismiss, their exchange of thousands of pages of documents, nearly a dozen depositions, and mediation-related discovery and analysis directed at Connexin’s finances,” states the settlement document. “Rather than prolonging the litigation, plaintiffs have reached a settlement that will immediately provide them and class members with significant benefits for their injuries arising from the data security incident.” The settlement now awaits a final hearing, the date for which has not yet been set.

The post Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy appeared first on HIPAA Journal.

What is Risk Management in Healthcare?

Posted by Steve Alder

Risk management in healthcare is the practice of analyzing healthcare practices and processes to identify risks and opportunities, assess their likelihood and potential impact, and implement controls to prevent losses and optimize profitability. Within each organization, the practice of managing risk can be influenced by the nature of the organization’s structure, the organization’s risk culture/appetite, and the resources available to conduct risk analyses.

The Definition of Risk Management in Healthcare

There is no one-size-fits-all definition of risk management in healthcare because a risk in healthcare is defined as the likelihood of a particular threat triggering or exploiting a particular vulnerability, resulting in harm or damage to a patient, an organization, or its workforce. (Abridged from the definition of risk in HHS’ Guidance on Risk Analysis).

Using this definition of risk, the “traditional” definition of risk management in healthcare is the identification, assessment, and minimization of the organization’s exposure to risks in order to improve patient care, reduce liability risks, and prevent financial losses. However, using this definition of risk can lead to the management of risks being conducted by separate business units in “risk silos”.

This can result in a lack of communication, coordination, and oversight which limits the effectiveness of risk management activities. To make risk management in healthcare more effective, there is a growing trend away from risk silos and towards organization-wide “enterprise” risk management in healthcare – defined by the American Society for Healthcare Risk Management (ASHRM) as:

“Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value”.

The ASHRM’s definition of risk management in healthcare suggests that the management of risks should not only serve the “traditional” purpose, but also be used to identify ways in which processes can be improved, healthcare activities can be made more efficient, the demand on healthcare resources can be reduced, and patient satisfaction/workforce retention can be increased.

More about Enterprise Risk Management in Healthcare

The ASHRM’s model for enterprise risk management in healthcare consists of eight “risk domains”.  Not all eight domains will apply in all risk scenarios, but it is important for those with the responsibility for managing risks to be aware of the domains and to consider the possibility of risks and opportunities (both value opportunities and opportunities to learn) existing in each domain.

1.      Operational

Operational risks occur when a vulnerability in an internal process or system – or an event attributable to human error – affects business operations. Such risks could include a failure in the process for data breach incident response, a failure in a data backup system, or a failure by a workforce member to configure software securely which undermines other security measures.

Analyzing healthcare practices and processes in the operational risk domain might not only identify areas where controls need to be implemented to prevent the risks (i.e. adding failover support to the data backup system), but can also identify opportunities for improvement. For example, building DevSecOps best practices into all application development.

2.      Clinical/Patient Safety

The clinical/patient safety domain relates to the delivery of care to patients, residents of care homes, and other recipients of healthcare. Clinical/patient safety risks can include medication errors, surgical mistakes, patient misidentification, hospital acquired conditions, and patient or visitor injuries attributable to slips, trips, and falls or other hazards covered by the OSH Act.

Most potential clinical and patient safety risks are well chronicled, and risk managers should be able to locate risk management checklists that cover these risks. As a note of interest, it was the analyses of clinical and patient safety that led to the Centers for Disease Control and Prevention (CDC) revising its Guidelines for the Prevention of Catheter-Associated Urinary Tract Infections in 2009.

3.      Strategic

Strategic risks are risks associated with the focus and direction of the organization and can include the failure to adapt to changing best practices, technologies, and patient priorities, or failing to act quickly enough when regulatory changes occur. These failures can result in losses to competitors, reputational damage, or enforcement action being taken by regulatory authorities.

As well as applying to operational units, the strategic domain in ASHRM’s model for enterprise risk management in healthcare can apply to business units such as managed care partnerships, media relationships, marketing, etc. As well as identifying risks in these units, an effective risk analysis can also identify ways for each unit to operate more efficiently.

4.      Financial

In the healthcare industry, the financial sustainability of an organization can be at risk from events theoretically under an organization’s control – such as fraud (both internal and external), malpractice lawsuits, regulatory fines, etc. – and events that are outside of an organization’s control, such as increasing capital equipment costs and interest rates, or unpaid bills.

While it is impossible to implement controls that manage risks outside of an organization’s control, it may be possible to identify ways to mitigate the impact of such events. For example, to mitigate the impact of increasing capital equipment costs and interest rates, it may be better to lease capital equipment on a fixed rate basis – potentially saving thousands of dollars across the organization.

5.      Human Capital

An organization’s human capital is its workforce; and, as most healthcare organizations will have experienced during the COVID-19 pandemic, the workforce is the key component of any healthcare organization. As a result, it is important risks to the wellbeing of the workforce are prioritized in order to prevent avoidable illnesses and injuries, low morale, and recruitment costs.

As well as using a risk assessment to identify, assess, and control risks to the workforce, healthcare organizations should use a risk assessment to identify areas in which the wellbeing of the workforce can be enhanced – for example, by implementing policies that encourage members of the workforce to confidentially report workplace violence or sexual harassment.

6.      Legal/Regulatory

The legal/regulatory risk domain includes the failure to identify, manage, and monitor compliance with federal, state, and local laws and regulations – for example, a healthcare organization in Dallas would likely have to comply with at least HIPAA, CMS’ conditions for participation in Medicare and Medicaid, OSHA, the Texas Medical Records Privacy Act, and the City of Dallas Fire Code.

When compliance with laws and regulations of this nature are managed in separate risk silos, the danger exists that compliance efforts will be duplicated. When they are managed holistically, similar compliance requirements can be combined to reduce the regulatory burden. In this example, the fire prevention requirements of the Dallas Fire Code, OSHA, and CMS’ conditions are almost the same.

7.      Technology

The technology risk domain not only covers software and data, but the systems they run on and the devices on which the systems run. In addition, depending on what enterprise risk management activities are conducted in the operational and strategic domains, the technology risk domain can also cover operational processes and automated decision making technologies.

The potential opportunities in this domain depend on the degree of integration between technologies. For example, patient scheduling software integrated with a practice management system and EHR system can improve the patient experience, accelerate billing and payment processes, and support HIPAA compliant messaging (among other benefits).

8.      Hazard

The hazard domain is a catch-all domain for other types of foreseeable risks that could cause business interruption. This domain includes natural disasters and facility issues (i.e. construction, renovation, etc.) and will soon also include hospital preparedness for emerging infection disease epidemics such as the COVID-19 pandemic.

While this domain is a bit of a grey area in terms of risk assessment responsibilities, it provides an opportunity for an organization to demonstrate a commitment to mitigate the impact of risks in the operational, clinical/patient safety, financial, and human capital domains – enhancing an organization’s reputation while protecting its future operational capabilities.

Risk Management Strategies in Healthcare

In its guide to the history of risk management in healthcare and the evolution to enterprise risk management, ASHRM argues the case that every member of a healthcare organization’s workforce is a risk manager – from the housekeeper that ensures the correct germicide is used on the correct surfaces for the correct amount of time to the organization’s CEO.

While it is difficult to disagree with this argument, it is necessary for there to be an oversight of how risks are managed. This involves determining what frameworks, models, and processes are used to identify vulnerabilities, how risks are analyzed in the context of the organization’s risk culture, and what controls are implemented to correspond with the organization’s risk appetite.

However, when risk management strategies in healthcare are executed by separate business units, inconsistencies between the strategies can result in the same frameworks being used in different ways to obtain conflicting results. Even simple probability/harm risk matrixes can produce different results due to ambiguous inputs or qualitative ratings being assigned to quantitatively smaller risks.

It is for this reason that ASHRM advocates an enterprise risk management model (also known as a holistic or integrated risk management model) in which a risk management team liaises with C-Suite Executives to communicate the risk management strategy, coordinate risk management activities, and oversee the controls put in place to prevent losses and optimize profitability.

Enterprise Risk Management in Healthcare Examples

The enterprise risk management model is particularly effective in healthcare because few activities impact just one domain. However, when multi-domain activities are being analyzed, it is important to have “subject matter experts” liaise with the risk management team in order to broaden the assessment of a potential risk and identify opportunities to create value for the organization.

Actual examples of effective enterprise risk management in healthcare do not appear in the public domain. However, ASHRM has produced a theoretical example of how risk assessing a change of process can result in the creation of value across all eight domains – in this case, changing the process of using a transporter to escort all discharged patients out of the hospital in a wheelchair.

The background to this risk assessment is that engaging a transporter to escort discharged patients out of the hospital in a wheelchair fulfils the organization’s duty of care for safe patient discharges. But what would be the risks and the value if this discharge process was used more selectively?

  • Value in the operational domain is acquired by reducing the number of transporters and wheelchairs required for a room turnaround.
  • Patients who can safely walk out of the hospital increase value in the clinical/patient safety domain by eliminating wait times (for a transporter) and vacating rooms quicker for the next admission.
  • The strategic value lies in the fact that a discharge has been performed to the patient’s satisfaction, which can increase confidence in – and the reputation of – the organization.
  • The improved patient throughput – even if by only 30 minutes per patient – can have a positive impact on profitability and other metrics in the financial domain.
  • Reduced transportation requirements may facilitate the better use of resources in the human capital domain, or enable flexible schedules to increase employee satisfaction.
  • Giving patients the choice of whether they would prefer to walk or be escorted increases the legal/regulatory perception that organizations are recognizing patient preferences and rights.
  • If the discharge process becomes discretionary (for patients), existing technologies could be put to better use to support the discharge process and communication during the process.
  • The hazard domain is both win and lose, as there is an increased risk of patients falling, but there is also the reduced risk of fewer wheelchairs being a trip hazard in cluttered hallways.

Why Risk Management is Important to Healthcare Facilities

Risk management is important to healthcare facilities because there are many areas of a healthcare organization’s activities in which vulnerabilities and opportunities may exist. Preventing the exploitation of vulnerabilities while exploiting potential opportunities is a challenging task which is best approached holistically to prevent inconsistencies in risk management strategies and ensure risks are analyzed and controlled according to the same risk culture/appetite.

However, building an enterprise risk management program from scratch, or transitioning from the traditional approach to an enterprise approach, is not without its own challenges. Possibly the biggest challenge is settling on a risk management strategy and risk culture/appetite that everyone can agree on. For example, a Chief Financial Officer or Chief Compliance Office will likely be more risk averse than a Chief Marketing Officer or Chief Business Development Officer.

Once this challenge is resolved, the next challenge is to justify the benefits of enterprise risk management to the Chief Officers who have had to compromise their risk appetites. This can be a difficult challenge to overcome initially due to the different levels of risk awareness in separate business units and because risk management teams will be under pressure to deliver positive outcomes, and this pressure could get in the way of preventing negative outcomes.

One way to overcome these issues is to implement customizable software for managing risks that can be configured by the risk management team with guided risk assessments and automated corrective action plans for each business unit. This solution resolves the issue of different levels of risk awareness, while delegating the responsibility for risk assessments to subject matter experts in each business unit – enabling the risk management team to focus on identifying positive outcomes.

Organizations that are interested in adopting an enterprise approach to risk management in healthcare should discuss their plans with a compliance expert with knowledge of customizable software for managing risks. While risk management is important to healthcare facilities, it is equally important that risk management activities are conducted effectively in order to prevent unmanaged risks resulting in harm, damage, or the loss of a value opportunity.

The post What is Risk Management in Healthcare? appeared first on HIPAA Journal.

Senator Calls for FTC, SEC to Hold Data Broker Accountable for Misuse of Geolocation Data

Posted by Steve Alder

U.S. Senator Ron Wyden (D-OR) has written to the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) calling for action to be taken to protect consumers and investors from “the outrageous conduct” of the publicly owned data broker, Near Intelligence Inc. Sen. Wyden launched an investigation in May 2023 of Near Intelligence after a report in The Wall Street Journal revealed the Wisconsin-based non-profit anti-abortion group, The Veritas Society, used geolocation data obtained from Near Intelligence to conduct a misinformation campaign on women suspected of seeking abortion.

Geolocation data is collected through code that is incorporated into mobile phone apps. The code receives location data and transfers it along with other information from the user’s device. The data collected reveals a person’s movements, including visits to sensitive locations such as reproductive health clinics, places of worship, healthcare providers, and other sensitive locations. The geolocation data can be tied to an individual and reveals how long they were present at a particular location, with the data accurate to a few meters.

The Veritas Society’s advertising agency, Recrue Media, used Near Intelligence to obtain the geolocation data of individuals who visited Planned Parenthood clinics and used that data for the advertising campaign. Recrue Media conducted the campaign for The Veritas Society From November 2019 through the summer of 2022, when Roe vs. Wade was overturned following the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization.

Sen. Wyden spoke with Steven Bogue, Co-Founder and Managing Principal of Recrue Media, on May 19, 2023, who revealed that to conduct the targeted campaign, his employees used the Near Intelligence website to geofence Planned Parenthood clinics and parking lots. Individuals who visited any of the 600 Planned Parenthood clinics in 48 states were then targeted. The Veritas Society said that in 2020 alone, it conducted a campaign that served 14.3 million ads to women who had visited abortion clinics, with the ads pushed out to their social media pages on Facebook, Instagram, and Snapchat.

A second investigation by The Wall Street Journal into Near Intelligence revealed in October 2023 that the company had also sold geolocation data to the U.S. government. Near Intelligence had provided the data to a defense contractor, which sold the data to the Defense Department and U.S. intelligence agencies. Sen. Wyden spoke with Near Intelligence’s Chief Privacy Officer, Jay Angelo, who explained that the company did not have the technical capabilities to prevent customers from targeting individuals who visited sensitive locations. He also confirmed that Near Intelligence had been providing location data to the defense contractor, AELIUS Exploitation Technologies, for three years and that the geolocation data had been collected without user consent. The Near Intelligence website stated that the data collected would not be provided to governments. Angelo joined Near Intelligence in June 2022 and conducted a review of the company’s practices, which revealed the company was facilitating the sale of geolocation data to the U.S. government. When the review was concluded, those statements were removed from the website.

Near Intelligence had a particularly bad financial year and has filed for bankruptcy. A statement provided in its December 11, 2023 bankruptcy hearing confirmed that former executives are under criminal investigation and that the SEC has initiated an investigation of the company related to a data breach in France, which involved transferring the data of E.U citizens to the U.S. government.

The Federal Trade Commission is cracking down on the collection and sale of geolocation data that has been obtained without consent and has recently settled a complaint with the data broker X-Mode Social/Outlogic. Sen. Wyden requested FTC Chair, the Honorable Lina Khan, prevent Near Intelligence from selling off the data it has collected to another company or data broker during the company’s bankruptcy proceedings and to ensure that the geolocation and device data it holds is permanently deleted. Sen. Wyden explained that in this instance, The Veritas Society conducted a misinformation campaign, but the same geolocation data could be used by right-wing prosecutors in states with bans on abortions to prosecute women who visit abortion clinics in states where abortions are legal.

Sen. Wyden also requested the SEC Chair, the Honorable Gary Gensler, expand the SEC’s investigation of Near Intelligence and investigate whether the misleading statements Near Intelligence provided to Congress about whether geolocation data was obtained with users’ consent violated securities laws. “Federal watchdogs should hold [Near Intelligence] accountable for abusing Americans’ private information,” said Sen. Wyden. “And Congress needs to step up as soon as possible to ensure extremist politicians can’t buy this kind of sensitive data without a warrant.”

The post Senator Calls for FTC, SEC to Hold Data Broker Accountable for Misuse of Geolocation Data appeared first on HIPAA Journal.