Class Action Lawsuits Filed Over HealthEC Data Breach

Posted by Steve Alder

January 12, 2024: Class Action Lawsuits Filed Over HealthEC Data Breach

Multiple class action lawsuits have been filed against HealthEC LLC over a recently disclosed data breach that affected almost 4.5 million individuals. Hackers gained access to HealthEC’s population health management platform between July 14, and July 23, 2024, and obtained the sensitive data of patients of its healthcare provider clients, per The HIPAA Journal report below.

One of the class action lawsuits – Victoria Lempinen v. Health EC LLC – was filed in the U.S. District Court of New Jersey on behalf of Victoria Lempinen and similarly situated individuals who had their personal and protected health information compromised in the data breach.  The lawsuit alleges that HealthEC lost control of the sensitive data of almost 4.5 million individuals as a direct result of the failure to maintain reasonable and appropriate cybersecurity protocols and the lack of encryption of sensitive data on its network. The security failures are alleged to violate the FTC Act and Health Insurance Portability and Accountability Act (HIPAA). Further, the plaintiff argues that HealthEC did not have policies and procedures in place to ensure that sensitive data was deleted in a timely manner when it was no longer needed.

In addition to suffering a preventable data breach, HealthEC is alleged to have unnecessarily delayed issuing notifications, which were issued in December 2023, more than 5 months after the data breach occurred. This, it is argued, denied the opportunity for victims of the breach to take steps to protect themselves against identity theft and fraud. When notification letters were issued, the lawsuit alleges HealthEC failed to disclose important details about the breach, such as when the cyberattack and data breach were first detected, the dates of the investigation, the vulnerabilities that were exploited by the hackers, and the measures undertaken in response to the cyberattack to ensure that similar breaches are prevented in the future.

The lawsuit claims the plaintiff and class have suffered injuries including invasion of privacy, theft of private information, loss or diminished value of private information, lost time and opportunity costs, loss of benefit of the bargain, and an increase in spam calls, texts, and emails, and the plaintiff and class members now face an increased risk of identity theft and fraud. The 75-page lawsuit alleges negligence, breach of third-party beneficiary contract, breach of confidence, invasion of privacy, and unjust enrichment and seeks class action certification, a jury trial, and damages, restitution, and injunctive relief, including an order from the court to compel HealthEC to implement a raft of measures to improve data security. The plaintiffs and class are represented by Vicki J.  Maniatis and Gary M. Klinger of Millberg Coleman Bryson Phillips Grossman LLC.

A second lawsuit was filed against HealthEC LLC on behalf of plaintiff Bree Marano and similarly situated individuals that makes similar claims, including the failure to comply with FTC guidelines, industry standards, and HIPAA. Those failures include inadequate cybersecurity measures given the level or risk of a cyberattack, insufficient monitoring of its network for intrusions, and the failure to issue adequate and timely individual notifications about the data breach. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and breach of confidence, and claims the defendant has done absolutely nothing of value to provide the plaintiff and class with relief for the damages they have suffered as a result of the data breach.

January 3, 2024: HealthEC Data Breach Affects Almost 4.5 Million Individuals

HealthEC, an Edison, New Jersey-based analytics software vendor, has recently confirmed that the protected health information of 4,452,782 individuals has been exposed and potentially stolen in a recent cyberattack. HealthEC is the developer of a platform that healthcare organizations use to identify high-risk patients, close care gaps, and recognize barriers to optimal care. More than 1 million healthcare professionals in 18 U.S. states use the platform’s analytics to gain insights to improve patient outcomes.

HealthEC started mailing data breach notification letters to the affected individuals on December 22, 2023; however, the data breach occurred several months earlier. According to the notification letters, unauthorized individuals had access to HealthEC’s systems between July 14, 2023, and July 23, 2023. The forensic investigation revealed that during that time, files were removed.

HealthEC conducted a review of the affected files and determined that they contained the protected health information of its clients’ patients. HealthEC started notifying the affected clients on October 26, 2023, which included MD Valuecare in Virginia (112,005 records)  and Corewell Health in Michigan (1 million+ records). On December 21, 2023, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 4.52 million individuals.

The information compromised in the attack varied from patient to patient and may have included names along with one or more of the following: address, date of birth, Social Security number, medical record number, diagnosis and diagnosis codes, mental/physical condition, prescription information, provider name, beneficiary number, subscriber number, Medicaid/Medicare identification number, patient account number, patient identification number, and treatment cost information. HealthEC is offering the affected individuals complimentary credit monitoring services and has taken steps to improve security to prevent further data breaches in the future.

HealthEC is the second vendor to experience a data breach that has affected more than 1 million Corewell Health patients this year. Michigan Attorney General, Dana Nassel, has called for new legislation to be introduced in the state mandating prompt notifications in the event of a data breach, as in each case, Michiganians had to wait several months to discover that their sensitive health data had been stolen.

Entities Impacted by HealthEC Data Breach

The entities known to have been affected by the HealthEC data breach, as disclosed by HEalthEC on December 22, 2023 are:

  • Alliance for Integrated Care of New York, LLC
  • Advantage Care Diagnostic & Treatment Center, Inc.
  • Beaumont ACO
  • Community Health Care Systems
  • Compassion Health Care
  • Corewell Health
  • East Georgia Healthcare Center
  • HonorHealth
  • Hudson Valley Regional Community Health Centers
  • Illinois Health Practice Alliance, LLC
  • KidneyLink
  • Long Island Select Healthcare
  • Metro Community Health Centers
  • Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers
  • TennCare
  • State of Tennessee
  • University Medical Center of Princeton Physicians’ Organization
  • Upstate Family Health Center, Inc.

The post Class Action Lawsuits Filed Over HealthEC Data Breach appeared first on HIPAA Journal.

Michigan Attorney General Calls for New Data Breach Notification Law

Posted by Steve Alder

Michigan Attorney General Dana Nessel has called for legislative changes to hold companies in the state more accountable for data breaches after Corewell Health failed to disclose a data breach promptly. Corewell Health has been affected by two massive data breaches this year, both of which occurred at vendors and affected more than a million Corewell Health patients. The first breach occurred at Corewell Health vendor Welltok, which had data stolen in May when the Clop hacking group exploited a vulnerability in Progress Software’s MOVEit Transfer solution. Corewell Health patients were notified about the breach on December 1, 2023, more than 6 months after the breach occurred.

Michigan Attorney General, Dana Nessel

AG Nessel’s comments came in response to a second such breach, which occurred at HealthEC, a vendor used by Corewell Health for analyzing patient data. HealthEC discovered the breach in July 2023 and notified Corewell Health in October that the data of its patients had been compromised. AG Nessel explained that the department in the state that is responsible for consumer protection did not hear about the breach until December 27, 2023, more than 5 months after the breach was detected.

It often takes several months for individual data breach notification letters to be issued, but when sensitive data is stolen it can be misused immediately. Individuals need to know that their data has been stolen quickly so they can take steps to protect themselves against identity theft and fraud. In both cases, complimentary credit monitoring and identity theft protection services have been offered but some of the affected individuals have already fallen victim to identity theft and fraud. Had those individuals been made aware of the breaches sooner, losses could have been prevented. Nessel is advocating for legislation that requires companies to notify the state immediately when a data breach is discovered.

Currently, 34 U.S. states have laws that require the state Attorney General or state agencies to be issued with timely notifications about data breaches that exceed certain thresholds, but there are no such requirements in Michigan. Without mandatory data breach reporting to improve transparency, there is little the state can do regarding enforcement.

“What we would like to be able to do is to say, ‘You know, look, if you don’t properly secure and store data, or if you don’t report a data breach, you’re going to be subjected to significant fines.’ That’s what they do in other states, but not here in Michigan,” said Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection.”

Regarding data security failures that result in data breaches, Michigan could take action and fine companies that are discovered to have violated the Health Insurance Portability and Accountability Act. Several state Attorneys General have imposed financial penalties for HIPAA violations, including Connecticut, Indiana, Massachusetts, Minnesota, New York, and New Jersey.

The post Michigan Attorney General Calls for New Data Breach Notification Law appeared first on HIPAA Journal.

Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach

Posted by Steve Alder

Transformative Healthcare is facing legal action over a recently disclosed data breach that affected 911,757 patients of the Fallon Ambulance Service. The lawsuit also names Coastal Medical Transportation Systems, LLC, as a defendant. Coastal Medical Transportation Systems acquired Fallon Ambulance Services in September 2022, although the data breached was an archive copy of data from before the acquisition.

The lawsuit – Daniel Durgin v. Transformative Healthcare, LLC, and Coastal Medical Transportation Systems, LLC – was filed in the U.S. District Court for the District of Massachusetts on January 18, 2023, on behalf of Daniel Durgin, who received emergency medical transportation from the Fallon Ambulance Service before it ceased operations in December 2022. The lawsuit alleges the defendants should have known how to keep sensitive data protected, yet failed to implement reasonable and appropriate cybersecurity measures and comply with industry security standards, which allowed hackers to gain access to the plaintiff’s and class members’ sensitive data.

The lawsuit claims the plaintiff and class have incurred costs and expenses associated with the time spent mitigating the consequences of the data breach, including checking credit reports for signs of misuse of their data, purchasing credit monitoring services, and having to deal with withdrawal and purchase limits on their accounts, as well as the loss of property value of their personal information, and stress, nuisance, and aggravation of having to deal with the issues caused by the data breach.

The plaintiff and class asset claims of negligence, breach of implied contract, unjust enrichment/quasi-contract, and breach of fiduciary duty. The lawsuit seeks class-action status, a jury trial, monetary and statutory damages, and injunctive relief.

The plaintiff and class are represented by David Pastor of Pastor Law Office, PC, and Nicholas A. Migliaccio and Jason Rathod of Migliaccio & Rathod LLP.

January 2, 2024: More Than 911,000 Individuals Affected by Fallon Ambulance Service Data Breach

Legal counsel for Transformative Healthcare, a Newton MA-based medical, transportation & logistics company, has notified the HHS’ Office for Civil Rights about a data breach that has affected 911,757 individuals. The data breach affected individuals who had previously received services from the Fallon Ambulance Service, the Massachusetts medical transportation arm of Transformative Healthcare. Fallon responded to patient emergencies in the greater Boston area and provided administrative services for affiliated medical transportation companies.

In September 2022, Fallon Ambulance Service was acquired by Coastal Medical Transportation Systems and ceased business operations in December 2022. In order to comply with legal data retention requirements, Transformative Healthcare retained an archived copy of data that was previously stored on Fallon’s computer systems. On or around April 21, 2023, Transformative Healthcare detected unauthorized activity in its archive environment. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The forensic investigation confirmed that an unauthorized third party gained access to the archive on February 17, 2023, and retained access to the archive environment until April 22, 2023. During that time, files were copied from the archive.2

The affected files were reviewed and that process was completed on December 27, 2023, when it was confirmed that the files contained names, addresses, Social Security numbers, medical information including COVID-19 testing/ vaccination information, and information provided to Fallon in connection with employment or application for employment.

While data was removed from the archive, neither Fallon nor Transformative Healthcare have found any evidence to indicate misuse of the data. Affected patients were notified by mail on December 27, 2023, and credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach appeared first on HIPAA Journal.

What is an OIG Corporate Integrity Agreement?

Posted by Steve Alder

An OIG Corporate Integrity Agreement in healthcare is a contract between the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and an organization that has violated a fraud and abuse law, that outlines the future compliance obligations of the organization. The OIG Corporate Integrity Agreement is often part of a civil settlement for violating a fraud and abuse law that prevents the organization from being added to the HHS OIG Exclusions List.

HHS OIG investigates cases of potential fraud and misconduct related to HHS programs, operations, and beneficiaries. When violations of a fraud and abuse law (i.e., the False Claims Act, the Stark Law, the Anti-Kickback Statute, etc.) are identified, the HHS OIG has the authority to pursue a criminal prosecution, a civil prosecution, and/or administrative penalties such as license penalties, revocation of billing privileges, or exclusion from Medicare, Medicaid, and other federal health care programs.

When a civil prosecution results in a civil monetary penalty (or settlement) AND exclusion from federal health care programs, organizations may be offered the option of accepting an OIG Corporate Integrity Agreement depending on the nature of the violation and the organization’s previous compliance record. The OIG Corporate Integrity Agreement will outline what measures and practices the organization will be expected to implement and comply with over the following five years.

Being offered an OIG Corporate Integrity Agreement can be a lifeline for organizations that would otherwise cease to trade if they were excluded from federal health care programs. However, if an organization fails to comply with the terms of the OIG Corporate Integrity Agreement, the amount of the original civil monetary penalty can be increased, new civil monetary penalties can be imposed (“Stipulated Penalties”), and the organization will be added to the HHS OIG Exclusions List.

What an OIG Corporate Integrity Agreement Consists Of

OIG Corporate Integrity Agreements are tailored to address the cause(s) of the original investigation and any further compliance shortcomings that have been identified during the OIG investigation. They may also take into account elements of an existing compliance program (i.e., to comply with HIPAA). While each OIG Corporate Integrity Agreement may be unique, many have common core elements. These include:

  • Hire a compliance officer (rather than designate the role to an existing employee).
  • Appoint a compliance committee under the governance of the compliance officer.
  • Develop written policies and procedures for issues noted in the Agreement.
  • Implement a comprehensive training program for all members of the workforce.
  • Retain an Independent Review Organization to conduct annual compliance reviews.
  • Establish a confidential disclosure program to facilitate internal whistleblowing.
  • Check each existing and new hire against the HHS OIG Exclusion List.
  • Report overpayments, reportable events, and ongoing investigations/legal proceedings.
  • Provide an Agreement implementation report and annual compliance reports to OIG.

With regards to retaining an Independent Review Organization (IRO), because each OIG Corporate Integrity Agreement is unique, there is no one-size-fits-all IRO. It may also be the case that more than one IRO is necessary if the requirements of the Agreement require an organization to retain (for example) experts in Medicare and State Medicaid programs, AND experts in the HIPAA Part 162 coding requirements, AND licensed healthcare professionals with specialized expertise.

The necessary qualifications for an IRO will be outlined in the OIG Corporate Integrity Agreement. However, once they enter into an OIG Corporate Integrity Agreement, organizations usually have 30 days to retain an IRO and send the details to HHS OIG – which reviews the IRO’s qualifications and either approves the IRO or requests that the organization terminates its relationship with the existing IRO and retains a new one. HHS OIG has published guidance on IRO independence and objectivity.

The Different Types of OIG Integrity Agreements

There are three types of OIG Integrity Agreements – the OIG Corporate Integrity Agreement as described above, an OIG Integrity Agreement for individual practitioners, small group practices, and small providers that will be less comprehensive than a Corporate Agreement, and an OIG Quality of Care Integrity Agreement for when a civil investigation and prosecution has found evidence of fraud that has impacted the quality of patient care.

In this third type of OIG Integrity Agreement, the organization will be required to retain an IRO with clinical expertise to perform relevant quality-related reviews in addition to an IRO with the qualifications to perform compliance-related reviews. In most cases, the IRO with clinical expertise will review the organization’s delivery of care and evaluate the organization’s ability to prevent, detect, and respond to patient care problems. The IRO’s review may also require peer reviewing.

The Difference between OIG CIAs and HHS CAPs

The difference between OIG Corporate Integrity Agreements (CIAs) and HHS Corrective Action Plans (CAPs) is that OIG CIAs most often form part of an investigation settlement that includes a civil monetary penalty, whereas a CAP is most often imposed by the Office of Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) in lieu of a civil monetary penalty. In addition, while an OIG CIA is usually five years in length, an HHS CAP is often concluded within a year.

If you are concerned that your organization – or someone within your organization – may be in violation of a fraud and abuse law or failing to comply with an HHS healthcare regulation, it is best to seek professional compliance advice. If you are a member of a healthcare organization’s workforce, you can also raise your concerns with your organization’s compliance officer, or contact HHS directly via the HHS OIG fraud hotline, the HHS OCR Complaint Portal, or the HHS CMS Complaint Service.

The post What is an OIG Corporate Integrity Agreement? appeared first on HIPAA Journal.