St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.

IT Security Company COO Pleads Guilty to Conducting Cyberattack to Win Business

Posted by Steve Alder

The Chief Operating Officer (COO) of the Atlanta cybersecurity firm Securolytics has pled guilty to one count of intentional damage to a protected computer after masterminding a series of attacks on Gwinnett Medical Center in Georgia in an attempt to win new business.

Vikas Singla was indicted by a federal grand jury on June 8, 2021, for a series of attacks on Gwinnett Medical Center in Duluth and Lawrenceville, GA. The September 2018 attacks disrupted the medical center’s phone and network printer services, data was stolen from a Hologic R2 digitizing device, and the attacks resulted in damage being caused to 10 protected computers. According to the indictment, Singla was aided and abetted by other (unnamed) individuals in attacks that were conducted for financial gain and commercial advantage. Singla was charged with 17 counts of causing damage to a protected computer and one count of information theft and faced a maximum jail term of 10 years for each of the damaging a protected computer counts and a maximum of 5 years in jail for the theft of data count. Singla initially entered a not guilty plea and was released on bond while he awaited his trial. An Atlanta magistrate judge recommended dismissing the criminal charges against Singla; however, in March 2023, a federal judge rejected those recommendations. Singla’s attorneys then negotiated a plea deal under which Singla would agree to plead guilty to one count of intentional damage to a protected computer.

Singla admitted to sending a command on September 27, 2018, that resulted in the modification of a configuration template on the ASCOM phone system of the Gwinnett Medical Center campus in Duluth. The command rendered all phones connected to the system at the time of the transmission inoperable, and more than 200 ASCOM handset devices were taken offline. The phone system was used internally by doctors, nurses, and other staff members for communication, including code blue emergencies, and the ASCOM devices were also used for external communications.

Also on September 27, 2023, the protected health information of 300 patients was stolen from a password-protected Hologic R2 digitizing device, including names, dates of birth, and gender. The same day, Singla sent a command to more than 200 network printers, which caused them to print out patient data obtained from the digitizer, along with the message “WE OWN YOU.” The printers were used by the hospitals in connection with patient care.

A few days after the attack, Singla caused a Twitter account to post 43 messages claiming that the Medical Center had suffered a cyberattack, with each of those messages containing the name, date of birth, and sex of a patient obtained from the digitizing device. In the days that followed, Singla attempted to create and use publicity about the attack to generate business for his company and emailed several potential clients offering them the services of Securolytics. The attacks resulted in financial harm of $817,804.12 to Gwinnett Medical Center.

According to Singla’s attorneys, incarcerating him would interfere with medical care for a rare case of terminal cancer and a dangerous vascular condition. Under the plea deal, the Department of Justice will recommend 57 months of probation, which will include home detention, and Singla has agreed to pay restitution of $817,804.12 to the medical center. The plea deal means Singla has given up his right to enter a not guilty plea and have a jury trial. The judge can impose a maximum term of 10 years imprisonment for the count of causing damage to a protected computer followed by up to 3 years of supervised release. In addition, a fine can be imposed for up to twice the loss in addition to full restitution.

Singla is due to be sentenced on February 15, 2024.

The post IT Security Company COO Pleads Guilty to Conducting Cyberattack to Win Business appeared first on HIPAA Journal.