Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach
Transformative Healthcare is facing legal action over a recently disclosed data breach that affected 911,757 patients of the Fallon Ambulance Service. The lawsuit also names Coastal Medical Transportation Systems, LLC, as a defendant. Coastal Medical Transportation Systems acquired Fallon Ambulance Services in September 2022, although the data breached was an archive copy of data from before the acquisition.
The lawsuit – Daniel Durgin v. Transformative Healthcare, LLC, and Coastal Medical Transportation Systems, LLC – was filed in the U.S. District Court for the District of Massachusetts on January 18, 2023, on behalf of Daniel Durgin, who received emergency medical transportation from the Fallon Ambulance Service before it ceased operations in December 2022. The lawsuit alleges the defendants should have known how to keep sensitive data protected, yet failed to implement reasonable and appropriate cybersecurity measures and comply with industry security standards, which allowed hackers to gain access to the plaintiff’s and class members’ sensitive data.
The lawsuit claims the plaintiff and class have incurred costs and expenses associated with the time spent mitigating the consequences of the data breach, including checking credit reports for signs of misuse of their data, purchasing credit monitoring services, and having to deal with withdrawal and purchase limits on their accounts, as well as the loss of property value of their personal information, and stress, nuisance, and aggravation of having to deal with the issues caused by the data breach.
The plaintiff and class asset claims of negligence, breach of implied contract, unjust enrichment/quasi-contract, and breach of fiduciary duty. The lawsuit seeks class-action status, a jury trial, monetary and statutory damages, and injunctive relief.
The plaintiff and class are represented by David Pastor of Pastor Law Office, PC, and Nicholas A. Migliaccio and Jason Rathod of Migliaccio & Rathod LLP.
January 2, 2024: More Than 911,000 Individuals Affected by Fallon Ambulance Service Data Breach
Legal counsel for Transformative Healthcare, a Newton MA-based medical, transportation & logistics company, has notified the HHS’ Office for Civil Rights about a data breach that has affected 911,757 individuals. The data breach affected individuals who had previously received services from the Fallon Ambulance Service, the Massachusetts medical transportation arm of Transformative Healthcare. Fallon responded to patient emergencies in the greater Boston area and provided administrative services for affiliated medical transportation companies.
In September 2022, Fallon Ambulance Service was acquired by Coastal Medical Transportation Systems and ceased business operations in December 2022. In order to comply with legal data retention requirements, Transformative Healthcare retained an archived copy of data that was previously stored on Fallon’s computer systems. On or around April 21, 2023, Transformative Healthcare detected unauthorized activity in its archive environment. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The forensic investigation confirmed that an unauthorized third party gained access to the archive on February 17, 2023, and retained access to the archive environment until April 22, 2023. During that time, files were copied from the archive.2
The affected files were reviewed and that process was completed on December 27, 2023, when it was confirmed that the files contained names, addresses, Social Security numbers, medical information including COVID-19 testing/ vaccination information, and information provided to Fallon in connection with employment or application for employment.
While data was removed from the archive, neither Fallon nor Transformative Healthcare have found any evidence to indicate misuse of the data. Affected patients were notified by mail on December 27, 2023, and credit monitoring and identity theft protection services are being offered to the affected individuals.
The post Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach appeared first on HIPAA Journal.
What is an OIG Corporate Integrity Agreement? – HIPAA Journal
What is an OIG Corporate Integrity Agreement? HIPAA Journal
What is an OIG Corporate Integrity Agreement?
An OIG Corporate Integrity Agreement in healthcare is a contract between the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and an organization that has violated a fraud and abuse law, that outlines the future compliance obligations of the organization. The OIG Corporate Integrity Agreement is often part of a civil settlement for violating a fraud and abuse law that prevents the organization from being added to the HHS OIG Exclusions List.
HHS OIG investigates cases of potential fraud and misconduct related to HHS programs, operations, and beneficiaries. When violations of a fraud and abuse law (i.e., the False Claims Act, the Stark Law, the Anti-Kickback Statute, etc.) are identified, the HHS OIG has the authority to pursue a criminal prosecution, a civil prosecution, and/or administrative penalties such as license penalties, revocation of billing privileges, or exclusion from Medicare, Medicaid, and other federal health care programs.
When a civil prosecution results in a civil monetary penalty (or settlement) AND exclusion from federal health care programs, organizations may be offered the option of accepting an OIG Corporate Integrity Agreement depending on the nature of the violation and the organization’s previous compliance record. The OIG Corporate Integrity Agreement will outline what measures and practices the organization will be expected to implement and comply with over the following five years.
Being offered an OIG Corporate Integrity Agreement can be a lifeline for organizations that would otherwise cease to trade if they were excluded from federal health care programs. However, if an organization fails to comply with the terms of the OIG Corporate Integrity Agreement, the amount of the original civil monetary penalty can be increased, new civil monetary penalties can be imposed (“Stipulated Penalties”), and the organization will be added to the HHS OIG Exclusions List.
What an OIG Corporate Integrity Agreement Consists Of
OIG Corporate Integrity Agreements are tailored to address the cause(s) of the original investigation and any further compliance shortcomings that have been identified during the OIG investigation. They may also take into account elements of an existing compliance program (i.e., to comply with HIPAA). While each OIG Corporate Integrity Agreement may be unique, many have common core elements. These include:
- Hire a compliance officer (rather than designate the role to an existing employee).
- Appoint a compliance committee under the governance of the compliance officer.
- Develop written policies and procedures for issues noted in the Agreement.
- Implement a comprehensive training program for all members of the workforce.
- Retain an Independent Review Organization to conduct annual compliance reviews.
- Establish a confidential disclosure program to facilitate internal whistleblowing.
- Check each existing and new hire against the HHS OIG Exclusion List.
- Report overpayments, reportable events, and ongoing investigations/legal proceedings.
- Provide an Agreement implementation report and annual compliance reports to OIG.
With regards to retaining an Independent Review Organization (IRO), because each OIG Corporate Integrity Agreement is unique, there is no one-size-fits-all IRO. It may also be the case that more than one IRO is necessary if the requirements of the Agreement require an organization to retain (for example) experts in Medicare and State Medicaid programs, AND experts in the HIPAA Part 162 coding requirements, AND licensed healthcare professionals with specialized expertise.
The necessary qualifications for an IRO will be outlined in the OIG Corporate Integrity Agreement. However, once they enter into an OIG Corporate Integrity Agreement, organizations usually have 30 days to retain an IRO and send the details to HHS OIG – which reviews the IRO’s qualifications and either approves the IRO or requests that the organization terminates its relationship with the existing IRO and retains a new one. HHS OIG has published guidance on IRO independence and objectivity.
The Different Types of OIG Integrity Agreements
There are three types of OIG Integrity Agreements – the OIG Corporate Integrity Agreement as described above, an OIG Integrity Agreement for individual practitioners, small group practices, and small providers that will be less comprehensive than a Corporate Agreement, and an OIG Quality of Care Integrity Agreement for when a civil investigation and prosecution has found evidence of fraud that has impacted the quality of patient care.
In this third type of OIG Integrity Agreement, the organization will be required to retain an IRO with clinical expertise to perform relevant quality-related reviews in addition to an IRO with the qualifications to perform compliance-related reviews. In most cases, the IRO with clinical expertise will review the organization’s delivery of care and evaluate the organization’s ability to prevent, detect, and respond to patient care problems. The IRO’s review may also require peer reviewing.
The Difference between OIG CIAs and HHS CAPs
The difference between OIG Corporate Integrity Agreements (CIAs) and HHS Corrective Action Plans (CAPs) is that OIG CIAs most often form part of an investigation settlement that includes a civil monetary penalty, whereas a CAP is most often imposed by the Office of Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) in lieu of a civil monetary penalty. In addition, while an OIG CIA is usually five years in length, an HHS CAP is often concluded within a year.
If you are concerned that your organization – or someone within your organization – may be in violation of a fraud and abuse law or failing to comply with an HHS healthcare regulation, it is best to seek professional compliance advice. If you are a member of a healthcare organization’s workforce, you can also raise your concerns with your organization’s compliance officer, or contact HHS directly via the HHS OIG fraud hotline, the HHS OCR Complaint Portal, or the HHS CMS Complaint Service.
The post What is an OIG Corporate Integrity Agreement? appeared first on HIPAA Journal.
Anna Jaques Hospital Suffers Christmas Day Cyberattack – HIPAA Journal
Anna Jaques Hospital Suffers Christmas Day Cyberattack HIPAA Journal
Anna Jaques Hospital Suffers Christmas Day Cyberattack
Anna Jaques Hospital in Newburyport, MA, experienced a cyberattack on Christmas Day that resulted in an outage of its medical record system. The decision was taken to divert ambulances to other hospitals in the area until systems could be restored. On December 26, 2023, the emergency department started accepting patients. Few details have been released at this stage about the exact nature of the cyberattack and it is too early to tell if the attackers gained access to patient information. Third-party cybersecurity experts have been engaged and are investigating the attack and further information will be released as the investigation progresses.
Volunteer at NYC Health + Hospitals Impermissibly Accessed Patient Data
NYC Health + Hospitals has recently announced there has been an unauthorized disclosure of patients’ protected health information. NYC Health + Hospitals said it discovered on October 23, 2023, that an employee of NYC Health + Hospitals/Kings County allowed a Kings County volunteer to assist with processing laboratory test specimens for Kings County patients; however, the volunteer was not authorized to work in the laboratory and was not permitted to access patients’ protected health information.
While assisting in the laboratory, the volunteer accessed patients’ names, dates of birth, medical record numbers, locations within the hospital, and the laboratory tests ordered. Affected individuals had laboratory tests performed between October 2, 2021, and August 14, 2023. While PHI was impermissibly accessed, there are no indications that any of that information has been misused.
NYC Health + Hospitals said it has taken steps to prevent similar incidents from occurring in the future, including notifying all laboratory personnel that they are not permitted to provide non-employees with access to any NYC Health + Hospitals laboratories. NYC Health + Hospitals has also confirmed that the employee no longer works for NYC Health + Hospitals and has been barred from future employment at NYC Health + Hospitals, and the volunteer is no longer volunteering at NYC Health + Hospitals and has been barred from future volunteer work at NYC Health + Hospitals.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.
The post Anna Jaques Hospital Suffers Christmas Day Cyberattack appeared first on HIPAA Journal.
HIPAA Updates and HIPAA Changes in 2026 – The HIPAA Journal
HIPAA Updates and HIPAA Changes in 2026 The HIPAA Journal
HIPAA Administrative Simplification Regulations? 2024 Update – HIPAA Journal
HIPAA Audit Checklist – 2024 Update – HIPAA Journal
HIPAA Audit Checklist - 2024 Update HIPAA Journal