Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Posted by Steve Alder

Novant Health has agreed to settle a class action lawsuit that stemmed from its use of tracking pixels on its MyChart patient portal. The pixel code on the patient portal collected the personally identifiable information of users with the goals of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” however the information collected was also transferred to third-party technology companies that were not authorized to receive the data.

The North Carolina Health System was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights (OCR). In the summer of 2022, Novant Health said the protected health information of up to 1,362,296 individuals had been disclosed to third parties such as Meta (Facebook) between May 1, 2020, to Aug. 12, 2022. The HIPAA breach was reported several months before OCR issued guidance on HIPAA and tracking pixels confirming that pixel-related disclosures of protected health information to third parties violated HIPAA. Novant Health was one of many health systems to use the code on its patient portal. According to one study, 99% of hospitals in the United States used pixels or other tracking technologies on their websites, apps, or patient portals that collected visitor information and transferred that data to third parties.

The lawsuit against Novant Health was filed on behalf of 10 Novant Health patients and similarly situated individuals who used the patient portal while the Meta Pixel code was present and alleged invasion of privacy, breach of contract, and violations of the Health Insurance Portability and Accountability Act. Novant Health maintains there was no wrongdoing and the decision to settle the lawsuit was taken to put an end to the litigation and avoid further legal costs and the uncertainty of trial.

“Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant Health will continue to be as transparent as possible and provide information to patients,” said a spokesperson for Novant Health regarding the proposed settlement. “The proposed settlement is not admission of wrongdoing, and the court did not find any wrongdoing on the part of Novant Health.”

Under the terms of the settlement, class members – individuals who used the MyChart portal between May 1, 2020, to Aug. 12, 2022 – will be eligible to submit claims for a share of the $6.6 million settlement fund. Claims will be paid pro rata once legal costs, expenses, and attorneys’ fees have been paid. Novant Health is one of several healthcare providers to have been sued over the use of pixels and other tracking technologies, including Advocate Aurora Health, which chose to settle its lawsuit for $12.225 million.

The post Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit appeared first on HIPAA Journal.

How long is HIPAA training good for?

Posted by Steve Alder

HIPAA training is good for one year because HIPAA training is required to be completed annually to ensure best practice compliance with evolving regulations and organizational policies, though the frequency can vary depending on specific job roles, updates in HIPAA laws, or organizational requirements. New employees who will have access to Protected Health Information (PHI) are mandated by law to receive HIPAA training to ensure compliance with privacy and security regulations. The HIPAA Privacy Rule and HIPAA Security Rule each have HIPAA training requirements for entities handling PHI.

Under the HIPAA Privacy Rule, training is mandated for all workforce members of covered entities and business associates who handle or have access to PHI, ensuring they understand how to maintain the confidentiality and security of this sensitive information. This includes education on the proper use and disclosure of PHI, the rights of individuals under HIPAA, and the entity’s privacy policies and procedures. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information”. The frequency of training is specified “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”, which is generally interpreted as being at least annual refresher training for all staff.

The HIPAA Security Rule specifically focuses on training regarding electronic PHI (ePHI), emphasizing the importance of securing electronic health records and other digital forms of PHI. It requires that relevant staff are trained on the entity’s security policies and procedures, the handling of ePHI, and awareness of potential security threats.  The HIPAA Security Rule states “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

Both the HIPAA Privacy Rule and the HIPAA Security Rule require that HIPAA training be provided to new employees within a reasonable time frame after hiring and thereafter as needed, typically annually, to ensure staff are up-to-date with the latest regulations, technologies, and threats to PHI privacy and security. The aim is to create a knowledgeable workforce that contributes to the prevention of unauthorized PHI disclosures and enhances the overall protection of patient privacy and data security. It is general best practice that new employees receive HIPAA training as soon as possible.

Documenting HIPAA training helps in proving compliance with federal requirements, reducing the risk of legal issues or fines during audits. Training records are useful for confirming that new hires and staff with access to PHI are properly trained. Training records also allow organizations to track and manage their employees’ training, identifying areas that need further education and ensuring everyone is up to date with current HIPAA rules.

 

The post How long is HIPAA training good for? appeared first on HIPAA Journal.

LockBit Ransomware Group Behind Capital Health Cyberattack

Posted by Steve Alder

Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.

Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.

Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.

Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.

Lawsuit Filed Over Capital Health Cyberattack

The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.

The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.

The post LockBit Ransomware Group Behind Capital Health Cyberattack appeared first on HIPAA Journal.

OSHA Increases Penalties for Workplace Health and Safety Violations

Posted by Steve Alder

The Occupational Safety and Health Administration (OSHA) has increased the minimum and maximum civil monetary penalties (CMPs) for workplace safety violations, as required by the Federal Civil Penalties Inflation Adjustment Act.

To maintain the deterrent effect of CMPs and to promote compliance with the law, the Federal Civil Penalties Inflation Adjustment Act requires an annual adjustment of CMPs to account for inflation. Each year, the Office of Management and Budget (OMB) calculates an inflation multiplier, and all federal agencies are required to apply that multiplier to their CMP structures by January 15. For 2024, the OMB has calculated a multiplier of 1.03241 to reflect the cost-of-living increase over the past 12 months.

OSHA confirmed the cost-of-living increase in a final rule published in the Federal Register on January 11, 2023. The final rule is effective on January 15, 2024, and will apply to all citations issued by OSHA on or after January 16, 2024. The new penalty structure also applies to open inspections that commenced before January 16, 2024. The new CMP structure is detailed in the table below.

Type of Violation Penalty Minimum Penalty Maximum
Serious $1,190** per violation $16,131 per violation
Other-Than-Serious $0 per violation $16,131 per violation
Willful or Repeated $11,524* per violation $161,323 per violation
Posting Requirements $0 per violation $16,131 per violation
Failure to Abate N/A $16,131 per day unabated beyond the abatement date [generally limited to 30 days maximum]

* For a repeated other-than-serious violation that otherwise would have no initial penalty, a  Gravity Based Penalty (GBP) of $460 shall be proposed for the first repeated violation, $1,152 for the second repeated violation, and $2,304 for a third repetition.
**This amount reflects the actual minimum penalty with all penalty reductions which rectifies error in the previous years’ serious minimum penalty posted.

In several U.S. states, state agencies enforce the Occupational Safety and Health Act rather than OSHA, and penalties for workplace safety violations may differ in those states.

The post OSHA Increases Penalties for Workplace Health and Safety Violations appeared first on HIPAA Journal.