Cyberattacks Suffered by First Choice Community Healthcare and Arlington Skin

First Choice Community Healthcare located in Albuquerque, NM, has begun informing a number of patients about the unauthorized access of a person to its network who possibly stole patient information. First Choice explained in a substitute breach notification that it discovered strange activity in its technological system on March 27, 2022. A third-party cybersecurity company was employed to perform a forensic investigation and find out the nature and extent of the breach. Although it wasn’t possible to validate whether the unauthorized person accessed or exfiltrated any files, the probability cannot be excluded.

An extensive analysis of the impacted files was finished on June 3, 2022, which affirmed the potential compromise of the following data: names, First Choice patient ID number, date of birth, Social Security numbers, diagnosis, clinical treatment data, prescription medications, dates of service, medical insurance details, patient account number, medical record number, and provider details. Impacted persons got informed concerning the breach through mail on August 1, 2022, and received free identity theft protection services via IDX.

The breach is not yet posted on the HHS’ Office for Civil Rights portal, therefore it is presently uncertain how many persons were impacted.

17,468 Arlington Skin Patients Informed About Electronic Medical Records Breach

Dr. Michelle A. Rivera, MD, also known as Arlington Skin in Virginia began informing 17,468 patients about the potential access to their protected health information (PHI) by unauthorized persons during a security breach involving Virtual Private Network Solutions (VPN Solutions), a business associate.

VPN Solutions handles the electronic medical records of Arlington Skin patients by using the Allscripts practice management services and electronic medical records system. The cyberattack was identified by VPN Solutions on or approximately October 31, 2021. According to the forensic investigation, the attack possibly affected the following data: names, addresses, birth dates, diagnostic and treatment data, medical insurance data, and Social Security numbers.

Arlington Skin began sending notification letters to impacted persons on July 8, 2022. There was no proof of data theft discovered however, as a safety measure, fraud support and remediation services were offered to impacted people via CyberScout.

Ransomware Attack at Mailing Vendor Affected 326,278 Aetna ACE Members

The health insurance provider Aetna ACE recently announced being impacted by a ransomware attack on a mailing vendor resulting in the breach of protected health information (PHI) of 326,278 plan members. Aetna stated the breach only affected persons insured with Aetna ACE, and it did not affect any PHI of persons served by CVS Health or Aetna.

The ransomware attack impacted OneTouchPoint, which offers printing and mailing solutions to U.S. organizations, which include billing providers employed by healthcare companies. OneTouchPoint gets access to contact data and some other data types to deliver its contracted solutions. On April 28, 2022, OneTouchPoint found out that files were encrypted on its systems. The unauthorized access happened a day before April 27, 2022.

Third-party cybersecurity experts were hired to look into the security breach. The investigation concluded on June 1, 2022, however, it was not determined which particular files had been exfiltrated from its network. Impacted customers had been informed on June 3, 2022, and OneTouchPoint is determining which of the customers’ data was possibly accessed or extracted from its systems. The compromised and possibly stolen information may have included names, addresses, birth dates, member IDs, and some medical data.

OneTouchPoint stated it offered to mail notification letters to all impacted persons; nonetheless, a few of its clients opted to self-report the data breach and mail the notification letters themselves. OneTouchPoint has submitted the breach report to the Maine Attorney general on behalf of 30 health plans stating that 1,073,316 persons were impacted. Aetna ACE opted to self-report the data breach. Other health plans impacted by the ransomware attack on OneTouchPoint include Anthem, Kaiser Permanente, Humana, Health First, Geisinger, UPMC Health Plan, Blue Cross and Blue Shield of Alabama, Blue Shield of California Promise Health, and other affiliated health plans of Blue Cross Blue Shield.

This is not the first time Aetna ACE experienced data breaches at business associates. A business associate phishing attack in 2020 exposed the PHI of 484,157 plan members of Aetna ACE. Because of the response made by a staff member of vendor EyeMed to a phishing email, unauthorized persons got access to email accounts that held the PHI of 2.1 million persons. EyeMed had to pay a $600,000 fine to the New York State Attorney General for security violations that resulted in the data breach.

Aetna furthermore encountered another mailing-associated data breach in 2017, which impacted 12,000 persons. In that instance, a mailing was delivered to members to let them know about the various options available for getting prescriptions for their HIV drugs. But window envelopes were used and so the HIV drug details could be read by anyone who would know that the recipient members were getting treatment for HIV or were given HIV medicines to avoid infection. State attorneys general investigated Aetna in this case. Aetna had to pay over $2,725,000 million in penalties to settle the case. A $1,000,000 fine was additionally enforced by the HHS’ Office for Civil Rights, and Aetna resolved a $17 million class action lawsuit.

IBM Report Reveals Record High $10.1 Million Average Cost of a Healthcare Data Breach

IBM’s 2022 Cost of a Data Breach Report reveals that for the first time ever, the average cost of a healthcare data breach is in two digits – from more or less $1 million to $10.1 million. That is 9.4% higher than in 2021 and 41.6% higher than in 2020. Across all industries, the average data breach cost increased 2.6% year over year at $4.35 million. That is the largest average cost in 17 years and is 12.7% greater than in 2020.

For the report, IBM Security investigated 550 companies in 17 nations and regions and 17 various industries that experienced data breaches from March 2021 to March 2022. More than 3,600 interviews had been conducted with people in those companies. 83% of companies that participated in the study have encountered one or more data breaches, and 60% of companies stated the data breach resulted in a higher price of their goods and services.

Overview of Data Breach Costs in 2022

  • $4.35 million Global average cost of a data breach
  • $164 million Global average cost per breached record
  • $9.44 million Average cost of a data breach in the U.S.
  • $10.1 million Average cost of a healthcare data breach
  • $49 million Average cost of a 1 million record data breach
  • $387 million Average cost of 50-60 million record data breach
  • $4.54 million Average cost of a ransomware attack
  • $4.91 million Average cost of phishing as the preliminary attack vector

In 2022, this is the first time that the major part of the data breach costs was discovery and escalation, amounting to $1.44 million; it was $1.24 million in 2021. Following was lost business with an average cost of $1.42 million in 2022, it was $1.59 million in 2021. The post-breach response is slightly higher at $1.18 million from $1.14 million 2021. There was a slight increase in costs of notification at $0.31 million from $0.27 million in 2021.

Usually, 52% of the breach costs are sustained during the first year, 29% during the second year, and 19% right after two years. In very regulated industry sectors like healthcare, a lot bigger percentage of the costs are suffered with 45% of costs during the first year, 31% during the second year, and 24% after the second year, which was credited to regulatory and legal expenditures.

The report looked into the various preliminary attack vectors and discovered that the most prevalent entry path was the usage of stolen credentials (19% of all data breaches) with an average data breach costing of $4.5 million. 16% of all data breaches were phishing attacks, the most expensive attack vector with an average cost of $4.91 million. 6% of all data breaches were business email compromise attacks with an average cost of $4.89 million. 15% of data breaches were due to cloud misconfigurations with an average cost of $4.14 million. Lastly, 13% of data breaches were due to vulnerabilities in third-party software with an average cost of $.55 million per breach.

In 2022, the average time to discover a data breach was 207 days. It was 212 days in 2021. The average time to control a data breach was 277 days; it was 287 days in 2021. With a shorter time to discover and control a breach, also called the data breach lifecycle, there is a reduced breach cost. Data breaches that have a lifecycle below 200 days cost 26.5% ($1.12 million) lower on average compared to data breaches that have a lifecycle above 200 days.

A crucial step necessary to boost security is to undertake zero trust techniques, however, just 59% of companies had implemented zero trust, and about 80% of critical infrastructure companies had not yet implemented zero-trust strategies. The average breach cost for critical infrastructure companies that have not implemented zero trust was $5.4 million. It was $1.17 million higher compared to those that had applied zero trust strategies.


PHI Exposed in Data Breaches at Clinivate, Kaiser Permanente, and McLaren Port Huron Hospital

Clinivate Reports Compromise of 77,652 Records

Concerning the data breach report submitted to the HHS’ Office for Civil Rights on June 2, 2022, there is an update by Clinivate based in Pasadena, CA, an EHR solutions provider for behavioral health centers and schools.

Based on a breach notification sent to the California Attorney General, odd activity was discovered in its digital system on March 23, 2022. A forensic investigation affirmed the unauthorized access by a third party to its network. On May 25, 2022, it was confirmed that the files accessed by that third party between March 12, 2022 and March 21, 2022 contained the protected health information (PHI) of individuals.

The files held the protected health information of 77,652 people, such as names, health plan beneficiary numbers, medical record numbers, treatment data, diagnosis details, other medical data, and information regarding payments for health services.

Clinivate has informed affected persons and mentioned it has executed additional safety measures to avoid further data breaches.

McLaren Port Huron Hospital Announces Compromise of PHI of 49,000 Individuals in MCG Health Cyberattack

McLaren Port Huron Hospital has stated the PHI of a number of patients was exposed in a cyberattack at a former business associate, MCG Health. MCG Health offers patient care guidelines to numerous health plans and about 2,600 hospitals in the U.S.A. On March 25, 2022, MCG Health found out an unauthorized third party got data from its system that contained data elements like names, medical codes,
Social Security numbers, postal addresses, phone numbers, email addresses, birth dates, and gender. A lot of MCG Health clients were impacted by the breach.

McLaren Port Huron Hospital stated it was advised concerning the breach on June 9, 2022. The delayed notification meant it has not done its own investigation to know the possibility of an actual exposure of patient information. But it has sent notifications to all affected people to advise them of the probability that their PHI was stolen. McLaren Port Huron Hospital discontinued using MCG Health in 2019.

The data breach report has been sent to the HHS’ Office for Civil Rights as affecting 48,957 McLaren Port Huron Hospital patients. Affected persons were provided complimentary identity theft protection and credit monitoring services for 24 months.

Kaiser Permanente Reports Stealing of iPad With PHI

Kaiser Permanente has started sending notifications to certain people about the theft of an iPad that held their protected health information. The iPad was stored in a locked storage area at the Kaiser Permanente Los Angeles Medical Center. An unidentified individual broke into the storage space and stole the iPad, and additionally obtained the password for accessing the gadget.

The device was utilized at a Kaiser Permanente COVID-19 testing area and had pictures of COVID-19 specimen labels and PHI i.e. names, health record numbers, dates of birth, and the dates and locations of service. The theft was identified on the same day and Kaiser Permanente remotely erased the data on the unit, including all photos.

Kaiser Permanente mentioned it has transferred devices comprising PHI to a safer place and has strengthened its internal practices and methods. Kaiser Permanente stated the iPad included the PHI of around 75,000 health plan members.


Cloud Security Alliance Issues Third Party Vendor Risk Management Guidance for Healthcare Companies

Cyber attackers are more and more targeting business associates of HIPAA-covered entities because they offer a great way to reach the systems of several healthcare companies. To aid healthcare delivery organizations (HDOs) handle the situation, the Cloud Security Alliance (CSA) has released new guidance about third-party vendor risk management in healthcare. The Health Information Management Working Group drafted the guidance, which has examples and uses cases and gives details on a few of the risk management program resources that HDOs can use for risk management.

Third-party vendors offer valuable services to HDOs, such as services that can’t be efficiently handled in-house; nevertheless, using vendors presents cybersecurity, compliance, reputational, operational, privacy, strategic, and financial threats that must be handled and mitigated. The guidance is supposed to aid HDOs to determine, evaluate, and mitigate the risks related to using third-party vendors to avoid and minimize the intensity of security occurrences and data breaches.

Cyberattacks on vendors helping the healthcare sector have grown recently. Instead of targeting an HDO, a threat actor may strike a vendor to acquire access to sensitive information or to misuse the vendor’s privileged access to an HDO’s system. For instance, a successful attack on a managed service provider enables a cyber actor to obtain access to the systems of all clients of the company by exploiting the privileged access of the MSP to client networks. This is good for a hacker since it suggests it isn’t required to crack into the systems of every MSP client one by one.

Whenever third-party vendors are employed, the attack surface grows considerably, and controlling and minimizing risk is usually a problem. Although third-party vendors are utilized in all industries, third-party vendor security threats are most common in the healthcare industry. The CSA states that this is because of the scarcity of automation, substantial usage of digital programs and medical devices, and the insufficient completely deployed critical vendor management settings. Because healthcare companies usually use numerous vendors, performing extensive and precise risk tests for all vendors and employing critical vendor management settings may be a very labor-intensive and expensive process.

Dr. James Angle, the primary author of the paper and co-chair of the Health Information Management Working Group stated that Healthcare Delivery Organizations put their trust in third-party vendors for the security of their sensitive information, finances, reputation, and others. Considering the value of this crucial, sensitive information, along with regulatory and compliance demands, it is very important to recognize, evaluate, and minimize third-party cyber risks. This paper provides an overview of third-party vendor challenges in healthcare along with recommended identification, discovery, response, and mitigation tactics.

When an HDO opts to employ a third-party vendor, it is vital that efficient monitoring controls are executed, however, it is apparent from the volume of third-party or vendor-associated data breaches that lots of healthcare companies find it difficult to determine, safeguard, identify, respond to, and get back from these occurrences, which indicates the present approaches for evaluating and handling vendor threats are faltering. These problems can have a significant financial effect, not only when it comes to the breach mitigation expenses, but HDOs likewise face the danger of regulatory penalties from the HHS’ Office for Civil Rights as well as the state Attorneys General. Additionally, there is a substantial possibility of long-lasting damage to reputation.

The CSA gives a number of recommendations in the paper, such as implementing the NIST Cybersecurity Framework for checking, measuring, and monitoring third-party threats. The NIST Framework is generally focused on cybersecurity, however, similar principles may also be used for measuring various risks. The primary capabilities of the framework are to identify, secure, detect, respond, and get back. With the framework, HDOs could determine threats, know what information is given to each, prioritize vendors according to the degree of risk, apply safety measures to secure critical services, make sure monitoring controls are enforced to identify security occurrences, and a plan is created for responding to and preventing any security breach.

BJC Healthcare Settles Data Breach Lawsuit Arisingfrom 2020 Phishing Attack

BJC HealthCare is resolving a class action lawsuit filed against it for not properly protecting patient data from phishing attacks. On May 5, 2020, the nonprofit hospital system based in St. Louis reported an email system breach that affected 287,876 people. The investigation affirmed the compromise of three email accounts in March 2020 because of responding to phishing emails. Although data theft cannot be established, the impacted email accounts comprised the protected health information (PHI) of patients of 19 of its hospitals. The types of information potentially compromised consist of names, birth dates, health insurance data, driver’s license, Social Security numbers, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, at first alleged 10 counts against the defendants and made it through two motions to dismiss, with the lawsuit permitted to continue with 8 of the 10 counts:

  • breach of contract
  • unjust enrichment
  • negligence
  • negligence per see
  • vicarious liability
  • breach of the covenant of good faith and fair dealing
  • violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA)

BJC HealthCare consented to resolve the lawsuit with no admission of liability or wrongdoing. According to the conditions of the settlement, BJC HealthCare will allocate funds to cover claims of affected persons up to a maximum $5,000. Every individual impacted may send a claim for ordinary and extraordinary expenditures sustained due to the data breach.

Claims may be filed for ordinary costs like bank fees, interest, credit tracking expenses, postage, mileage, and around 3 hours of lost time at $20 for each hour. Ordinary claims are limited to $250 for every person. Claims of as much as $5,000 could be submitted for extraordinary expenditures, such as documented monetary losses and around three hours of additional lost time at $20 for every hour. BJC Healthcare has additionally agreed to provide two years of free identity theft protection and credit monitoring services. Named plaintiffs will get approximately $2,000 and BJC HealthCare will cover the plaintiffs’ legal expenses. BJC HealthCare has given $2.7 million to pay for the expense of using multi-factor authentication for its email accounts to enhance protection versus phishing attacks.

Claims should be filed by Dec. 14, 2022. The hearing on the final approval of the negotiation is scheduled for Sept. 6, 2022.

In May 2022, BJC HealthCare submitted a report of one more email breach to the HHS’ Office for Civil Rights. The incident was noted as affecting 500 people – a typical placeholder utilized until the precise number of affected persons is identified. The breach happened two months ago.

FTC to Enforce Laws that Prevent the Illegal Use and Disclosure of Location and Sensitive Health Information

The Department of Health and Human Services’ Office for Civil Rights is the enforcer of the HIPAA Rules, restricting HIPAA-covered entities and business associates of those entities in their uses and disclosures of healthcare information. The Federal Trade Commission (FTC) polices the entities that are not under HIPAA, privacy violations, and illegal uses and disclosures of sensitive consumer data. The FTC lately made an announcement that it will totally enforce the law to stop illegal uses and disclosure of highly sensitive information.

A person’s distinct location and data regarding their health are common types of sensitive data that are collected by connected devices like smartphone applications, fitness trackers, and browsers. These sensitive data are then combined with other information, monetized and bought by third parties, usually without the persons who own the data knowing about it.

Acting Associate Director Kristin Cohen of FTC Division of Privacy & Identity Protection states that the highly personal data that people don’t want to share even with family, co-workers, or friends is what is disclosed to total strangers. These strangers often use shadowy ad tech and data broker systems to profit from the sharing of data at an unparalleled scale.

Location data can be collected by connected devices, even if not in use. Data about a person’s work, sleep, social whereabouts, worship, and medical appointments can be obtained. Although many people may agree to give their location information in order to get real-time crowd-sourced information about the quickest way home, they likely would not want to share their online identity linked to the frequency of their consultations with a doctor or therapist. Once a company has obtained such information, consumers usually don’t know who has it or how it was used. After collection, data goes to a big and intricate marketplace frequented by many sellers, buyers, and sharers.

Because of the SCOTUS ruling that changed Roe v. Wade, many have scrutinized the data collection and sharing practices because of the potential for collected location data and information associated with personal reproductive data, including those considering abortion, to be misused.

According to Cohen, Copley Advertising, LLC settled a case in 2017 regarding its usage of geolocation technology that detected people passing through a digital fence around an abortion clinic. The identified persons were then targeted with ads about alternatives to abortion. The FTC likewise recently resolved a case against Flo Health because of its disclosure of the sensitive information of people who used its period and fertility tracking application. The company did not do as it said that the collected information by the app would be kept private and confidential.

Cohen stated that the wrong use of location and health information puts consumers at risk. They could suffer harm from phishing attacks, physical and emotional injury, extortion, stigma, discrimination, and mental anguish.

Cohen said the FTC will use all its legal authorities to protect the privacy of consumers. The law will be enforced on those who illegally exploit the location, medical, or other sensitive information of Americans.

The FTC will enforce laws, such as the FTC Act that forbids unfair and fràudulent trade practices; the Safeguards Rule, the Children’s Online Privacy Protection Rule, and the Health Breach Notification Rule.

The FTC will also go after organizations that state they anonymize or aggregate consumer informàtion but do so only to deceive. They are in violation of the FTC Act. The FTC has already taken action against companies that use location information without permission, improperly get and store sensitive data, and do not respect individual requests to remove sensitive data.

OCR Issued 11 More Financial Penalties Due to HIPAA Right of Access Violations

The Department of Health and Human Services’ Office for Civil Rights has alerted healthcare companies regarding the importance of complying with the HIPAA Right of Access. It also announced 11 new financial penalties for HIPAA-covered entities for failing to give patients their medical records promptly. With the most recent batch of enforcement actions, there is now 38 financial penalties enforced with the HIPAA Right of Access enforcement initiative.

The HIPAA Right of Access upholds the right of individuals to examine their protected health information (PHI) that is kept by a HIPAA-covered entity, look for information errors, and ask for the correction of any errors. Individuals may likewise ask for a copy of their PHI from healthcare companies and health plans. Upon request of the information, the provider must give the requested copy in full within 30 days. In very restricted instances, a 30-days extension is allowed. Patients or their nominated representatives may submit requests. For minors, their parents and legal guardians may acquire a copy of the minor’s data. Any person asking for a copy of their information can only be billed a fair, cost-based amount for getting a copy of their files. The information must be given in the format asked by the patient, as long as the HIPAA-covered entity is technically capable of giving records in that file format.

OCR started its HIPAA Right of Access enforcement initiative in 2019 due to prevalent non-compliance with this HIPAA right. Health care providers ought to keep in mind that there are currently 38 enforcement actions in the Right of Access Initiative. OCR is serious about upholding the rules and the right of people to prompt access to their health records.

Penalties of the HIPAA Right of Access

The most recent penalties were all enforced for the inability to give prompt access to a person’s health records, and not for billing unreasonable costs for requesting the information. All except one of the cases were resolved with OCR, and the covered entities agreed to implement a corrective action plan to deal with the non-compliance issues and avoid more violations.

The covered entity ACPM Podiatry declined to cooperate with OCR’s demands, thus getting a civil monetary penalty. A former patient requested a copy of his medical records and then notified OCR on April 8, 2019 that ACPM had declined to give those records. OCR extended technical support to ACPM on April 18, 2019 stating that the data must be given under HIPAA. ACPM still did not provide the records so the patient filed a second complaint with OCR one month later.

OCR’s investigation showed the records were withheld because the complainant’s insurance provider did not pay the bill. However, the complainant stated the records were needed so as to plead the unfavorable decision and file that appeal. Although there was communication between OCR and ACPM Podiatry, ACPM did not take action on OCR’s data access requests, the Letter of Opportunity to give proof of mitigating factors, nor OCR’s notice of proposed determination of a financial penalty, therefore imposing a civil monetary penalty.

Three of the enforcement actions were due to the inability of a HIPAA-covered entity to give a patient’s nominated representative a copy of the needed records. Two cases involved the refusal of the provider to give a patient’s medical records because of outstanding medical costs. The right of a patient to get a copy of their health records is not conditional on whether the medical services are paid in full.

The list of financial penalties is as follows:

1. ACPM Podiatry – Civil Monetary Penalty of $100,000 for untimely access to records
2. Memorial Hermann Health System – Settlement of $240,000 for untimely access to records (complete records not given for 564 days from the initial request)
3. Southwest Surgical Associates – Settlement of $65,000 for untimely access – records given after 13 months
4. Hillcrest Nursing and Rehabilitation – Settlement of $55,000 for untimely access – records not given to a personal representative for 7 months
5. MelroseWakefield Healthcare – Settlement of $55,000 for untimely access – not giving the records to the nominated representative of the patient for 4 months
6. Erie County Medical Center Corporation – Settlement of $50,000 for untimely access – not giving the requested records to a nominated representative of the patient
7. Fallbrook Family Health Center – Settlement of $30,000 for untimely access – unspecified delay in giving the requested records
8. Associated Retina Specialists – Settlement of $22,500 for untimely access – inability to give the patient the records for 5 months
9. Coastal Ear, Nose, and Throat – Settlement of $20,000 for untimely access – inability to give the patient the records for 5 months
10. Lawrence Bell, Jr. D.D.S – Settlement of $5,000 for untimely access – inability to give the patient the records for over 3 months
11. Danbury Psychiatric Consultants – Settlement of $3,500 for untimely access – denied the records for 6 months because of the patient’s outstanding medical costs

OCR has already issued 122 financial penalties involving HIPAA-regulated entities to settle HIPAA violations starting in 2008. With the most recent batch of HIPAA penalties, there are now 16 financial penalties in 2022, higher than the financial penalties enforced in 2021 by 2.


Data Brokers and Health Apps Investigated Because of Privacy Practices

The House Committee on Oversight and Reform reported the start of an investigation to find out how data brokers and health application providers are accumulating and selling the personal reproductive health information of individuals. The investigation was prompted by the SCOTUS decision overturning Roe v. Wade because committee members were worried that the personal information of people receiving reproductive healthcare services might be abused.

The Chairwoman of the Committee on Oversight and Reform, Rep. Carolyn B. Maloney, the Chairman of the Subcommittee on Economic and Consumer Policy, Rep. Raja Krishnamoorthi, and Rep. Sara Jacobs sent a letter to five data brokers (Digital Envoy, SafeGraph,, Babel Street, and Gravy Analytics) and five health app providers (Flo Health, BioWink, Digitalchemy Ventures, Glow, and GP International) asking for documentation regarding how personal reproductive care data is collected and sold.

Big amounts of personal information are currently being gathered and sold, frequently with no knowledge of people. The data is employed to deliver targeted ads to individuals and for other purposes. There is a concern that the gathering and sale of this data might endanger the health, security, and privacy of U.S. citizens and healthcare companies.

Collecting sensitive information can cause serious risks to those receiving reproductive care and even to providers of this kind of care, not just by having invasive government surveillance, but also by allowing people to possibly encounter harassment, intimidation, or violence. Geographic information obtained via mobile phones could be employed to find individuals seeking care at hospitals, and lookup chat history talking about clinics or prescription medication generate digital breadcrumbs disclosing curiosity on abortion.

The Committee Members mentioned a research study publicized in JMIR entitled “Privacy, Data Sharing, and Data Security Policies of Women’s mHealth Apps: Scoping Review and Content Analysis,” which stated that 20 of the 23 most in-demand women’s health applications including reproductive health applications were giving user information to third parties, although only 52% of those applications acquired permission from users. The research discovered that many women’s mHealth applications had terrible data privacy, sharing, and safety requirements.

It is possible that information from health applications, particularly period trackers, can be employed to determine women who have gotten abortions. Data brokers are discovered to sell users’ location information, such as the location information of persons who went to healthcare clinics offering abortions. Lately, Google launched that it will additionally enhance privacy security by automatically removing the location information from Google accounts linked to consultations with healthcare companies that offer sensitive healthcare services, however, Google is not the sole provider that logs location information.

The data brokers and health application companies have until July 21, 2022 to answer and give the requested information.

Patient Data Breach at VCU Health and Cheyenne Regional Medical Center

Virginia Commonwealth University Health System (VCU Health) detected an extended privacy violation that possibly began on January 4, 2006. Based on the substitute breach notification posted on the VCU Health web page, transplant donor data were a part of the health records of a number of transplant patients. Transplant recipient data were also contained in the medical files of transplant donors.

Whenever recipients, donors of transplants, or their representatives signed into the patient website to see their medical files, they could have viewed the data of the donor/recipient. It is also likely that the data was given to persons who used requested a copy of their health data. In every case, the compromised data wasn’t available to the public, just to particular transplant recipients and donors.

VCU Health detected the privacy breach on February 7, 2022. The following investigation confirmed that more data might also have been accessible, including names, laboratory data, date(s) of service, medical record numbers, Social Security numbers, and/or birth dates.

Impacted persons received notification by mail and free credit monitoring services in case they had their Social Security numbers exposed. Steps were also undertaken to enhance privacy protections and avoid the same incidents later on. VCH Health stated a total of 4,441 transplant donors and recipients were impacted.

Snooping on Patient Records by Cheyenne Regional Medical Center Employee

Cheyenne Regional Medical Center (CRMC) found out that a former staff had been viewing the health records of patients with no permission for about two years. The former staff was allowed access to patient records to carry out her work responsibilities however had been viewing the files of patients for reasons not related to her task.

A previous co-staff member reported the privacy violation after the snooping staff member transferred to another department inside the medical center. The internal investigation of the incident confirmed that the files of around 1,600 patients were accessed with no authorization from Aug. 31, 2020 to May 26, 2022.

Gladys Ayokosok, Compliance director of CRMC, mentioned there was no evidence found that suggests the former employee copied or further disclosed any patient data. Affected persons have already received notification concerning the HIPAA violation by the employee. The following types of data were potentially viewed: names, birth dates, Social Security numbers, medical record numbers, dates of service, diagnoses, and treatment data.

Ayokosok stated that the access continued undetected for a very long time because the former staff member had formerly worked with the electronic health record company. To identify any incidents of snooping later on, the IT department has developed an audit record, which will enable the IT team to know whether employees accessed records an abnormal number of times, find out the reasons that employees are accessing patient data, and check to ensure there is a legit reason for viewing patient information.

Individuals Affected by Benefit Plan Administrators, The People Concern and Advocates Inc. Security Breaches

Benefit Plan Administrators Inc. based in Roanoke, VA has lately informed 3,775 people that an unauthorized person acquired access to its system and extracted files containing some of their protected health information (PHI). The breach notification letters do not say clearly when the breach happened, however, the forensic investigation finished on March 15, 2022. Affected individuals received the notification letters on or about June 15.

Benefit Plan Administrators mentioned the extraction of files from its systems which contained the following types of data: complete names, addresses, birth dates, Social Security numbers, gender category, claims details, prescription drugs data, and health diagnosis/conditions data. The HHS’ Office for Civil Rights received four separate breach reports. Affected employees include those of Williamson Employment Services, Inc.,
and Alpha Natural Resources Non-Union VEBA Trust.

There was no proof found that indicates the misuse of any of the extracted data. Free credit monitoring services were given to the impacted persons. Benefit Plan Administrators stated the IT section enforced extra safety measures to avoid the same incidents later on.

Email Accounts Breach at The People Concern

Homeless service, The People Concern based in Los Angeles, CA, has found out that an unauthorized third party accessed the email accounts of a number of its employees. The accounts included the sensitive data of community members including birth date, Social Security number, medical insurance details, and medical data relating to care received via its programs.

The security breach was discovered upon seeing suspicious activity in the email accounts. The investigation revealed that unauthorized persons accessed the accounts at different times from April 6, 2021 to December 9, 2021

Because of the breach, The People Concern improved email security measures and offered the affected persons free one-year membership to an identity theft protection and resolution service. It is presently uncertain how many people were affected.

More Individuals Affected by Advocates Inc. 2021 Data Breach

In January 2022, Advocates Inc. based in Framingham, MA began informing people impacted by a cyberattack that compromised its system from September 14, 2021 to September 18, 2021. The incident was at first thought to have impacted 68,236 persons, however, the investigation afterward confirmed that more people were impacted. The analysis of the affected files carried on until June 9, 2022, and more notifications were sent to impacted persons on June 28, 2022. It is presently uncertain how many more people were affected.

PHI Exposed in 3 HIPAA-Covered Entities’ Data Breaches

Texas Tech University Health Sciences Center has announced the compromise of the protected health information (PHI) of 1,290,104 patients because of a data breach that occurred at Eye Care Leaders, its electronic medical record vendor.

Eye Care Leaders stated it identified a security breach on Dec. 4, 2021, and shut down the affected systems within 24 hours. Texas Tech University Health Sciences Center mentioned it got the findings of the forensic investigation on April 19, 2022. The compromised files involved the following data elements: name, phone numbers, physical address, email, gender, date of birth, driver’s license number, health insurance details, medical record number, appointment data, social security number, as well as medical data associated with ophthalmology services. There is no evidence of data theft found.

In the last few weeks, the number of eye care providers identified to have been impacted by the Eye Care Leaders data breach is growing. No less than 23 eye care companies have said they have been affected and the PHI of about 2 million individuals is found to have been exposed.

1.24 Million Baptist Health Individuals’ PHI Potentially Exposed in a Cyberattack

Baptist Health has lately begun sending notifications to patients regarding a cyberattack that was identified on April 20, 2022, that involved malicious code installed on its network. Based on the announcement, an unauthorized individual got access to some Baptist Health systems between March 31 and April 24, 2022. During that time of access, several pieces of information were removed from its systems.

When the breach was discovered, user access was stopped, the breached systems were removed to avoid further unauthorized access, and cybersecurity measures were enforced. The portions of the system that were accessed included the data of patients of Baptist Medical Center based in San Antonio and Resolute Health Hospital located in New Braunfels in Texas and contained names, dates of birth, addresses, medical insurance details, health record numbers, dates of service, names of provider and facility, major complaint/reason for a visit, consultation procedures and diagnosis data, Social Security numbers, and billing and claims details.

Baptist Health stated it is enhancing its security and monitoring functions to lessen the chance of further data breaches. People have already been alerted and those whose Social Security numbers were possibly compromised have received complimentary credit monitoring and identity protection services.

Baptist Health has submitted the breach report to the HHS’ Office for Civil Rights indicating that 1,243,031 persons were impacted.

Medical Record Breach Reported by Santa Barbara County Department of Behavioral Wellness

Santa Barbara County Department of Behavioral Wellness based in California has lately made an announcement that a staff member obtained access to the medical records of patients without consent. The department detected the unauthorized access on March 30, 2022, after it enforced a new security system for identifying unauthorized medical record access, which quickly flagged the HIPAA breach.

The health record system access of that employee was terminated without delay pending an investigation. The staff member involved went through appropriate disciplinary measures. The information accessed by the employee had names, telephone numbers, addresses, email addresses, Social Security numbers, insurance details, medical data, and medical record numbers. There is no proof found that suggests that any patient details were printed, sent externally, or written down. The department mentioned it is going to conduct additional security audits later on and will be upgrading client outreach processes to avert any recurrences.

The department already sent breach notification letters to all affected people. The breach isn’t yet listed on the HHS’ Office for Civil Rights web page, therefore it is uncertain how many people were impacted.

University of Pittsburgh Medical Center Paid $450,000 to Resolve Data Breach Lawsuit

University of Pittsburgh Medical Center has decided to negotiate a class action data breach lawsuit. It will reserve $450,000 to take care of claims from men and women who have sustained losses because of the theft and wrong use of their protected health information (PHI).

The data breach impacted roughly 36,000 individuals and an unauthorized third party viewed and stole their protected health information between April 2020 and June 2020. The breach took place at Charles J. Hilton PC, (CJH), UPMC’s legal counsel that offered billing-related services. The exposed records were located in the provider’s email system and comprised names, dates of birth, Social Security numbers, financial details, ID numbers, signatures, insurance data, and medical records. The data breach was identified in June 2020; nonetheless, notification letters were dispatched to affected persons only in December 2020.

Though lots of speculative legal cases are filed versus medical companies and their business associates regarding the compromise of patient information, in this instance, the plaintiff was conned immediately after the breach, which was as a result of his data being stolen during the data breach that occurred at CJH. The hacker created an Amazon credit card account under his name. The plaintiff reported he had to expend a substantial amount of time handling the misuse of his personal information and PHI. The legal case claimed UPMC and CJH did not do their duty to secure patient records and hadn’t enforced fair and suitable safety measures to protect their private details.

UPMC and CJH did not admit any wrongdoing or liability yet decided to resolve the case. Under the stipulations of the negotiation, class members could submit a claim for a $250 cash as payment for recorded out-of-pocket costs associated with the security breach and could file claims for around $2,500 to retrieve fake charges and expenses linked to identity theft, in addition to $30 for the undocumented time used for handling the breach. 12 months of free credit monitoring, identity theft, and dark web monitoring services will likewise be given to class members. Claims need to be sent in on or before September 3, 2022.

In 2021, UPMC resolved a long-running lawsuit by paying $2.65 million. The lawsuit was submitted on behalf of 27,000 staff members impacted by a data breach in February 2014.

Meta Faces Lawsuit due to the Scraping of Patient Records from Hospital Web Pages

Meta is confronting a legal action alleging the social media company is knowingly getting patient data from hospital web pages by means of the Meta Pixel tracking application, and as a result has committed the privacy violation of millions of individuals.

The lawsuit was filed in the U.S. Northern District of California and states violations of state and federal government rules associated with the acquisition of patient details without permission. Last week, The Markup/STAT’s report on research regarding the 100 leading hospitals in the U.S.A. showed that a third employed the Meta Pixel code on their sites. The Meta Pixel tool is a bit of JavaScript code that is utilized to keep tabs on visitor behavior on websites, for example, the buttons they click and the choices they pick from dropdown menus. If the tool is integrated on healthcare organizations’ websites, it’s likely for the tool to send protected health information (PHI) to Meta/Facebook, for instance, IP address, whenever a patient has reserved a consultation and any details picked from menus, for instance, the health condition that the consultation is about.

The study found 7 hospital systems that had integrated Meta Pixel on their patient sites behind password security and the tool was transferring sensitive information for example patient ailments, which may be connected to the patients by means of their IP addresses. The research did not get any proof that Meta had signed a business associate agreement with the healthcare providers. There was likewise no permission to disclose patient information with Meta acquired from patients by the medical centers and healthcare networks that employed Meta Pixel.

The lawsuit was submitted on behalf of patient John Doe, who uses Facebook as well as a Maryland-based Medstar Health System patient. The plaintiff stated he utilizes the patient site for booking appointments, sending messages to providers, and checking laboratory examination results, and didn’t authorize the sharing of data with Meta/Facebook. Medstar Health mentioned all patient details are safe and it doesn’t employ any Facebook/Meta tech on its web pages. As per the lawsuit, no less than 664 healthcare systems in America have incorporated the Meta Pixel tool into their sites, which transmits sensitive information to Meta.

Meta claims on its site that whenever Meta’s signals filtering process finds Business Tools data that is classified as likely sensitive health-associated data, the filtering system is made to keep that information from being taken into our ads ranking and optimization models. Nonetheless, the lawsuit asserts that regardless of knowingly obtaining health-connected data from medical companies, Facebook failed to do anything to impose or verify its requirement that healthcare providers get enough authorization from patients prior to sharing patient data with Facebook. The legal action claims the usage of the tool on hospital web pages without acquiring permission violates the Health Insurance Portability and Accountability Act (HIPAA), as the information is obtained with no business associate agreement. It should be mentioned that HIPAA Rules do not limit Meta/Facebook; nonetheless, the hospitals that use the tool may violate HIPAA by disclosing the data with no authorization.

The lawsuit states a violation of the duty of good faith and fair dealing, and not complying with federal and state legislation, which include the federal Electronic Communications Privacy Act, Unfair Competition Law, and California’s Invasion of Privacy Act. The lawsuit wishes punitive and compensatory damages, class-action status, and attorneys’ service fees.

This isn’t the first legal action to be filed against Facebook due to the acquisition of details from hospital sites. The same lawyers got a case against Facebook sacked in 2018 – Smith et al v. Facebook – about the gathering of browsing information from hospital web pages. The judgment was upheld by the U.S. Court of Appeals for the 9th Circuit, which decided that the plaintiffs cannot file a case against Facebook because they had accepted Facebook’s contract terms.

Reclaim the Net obtained a copy of the legal case and shared it on this page.

Study Shows 33% of Top 100 U.S. Hospitals are Sharing Patient Information with Facebook

A study of hospitals’ websites has shown that 33% of the top 100 hospitals in America are sharing patient information with Facebook through a tracker known as Meta Pixel, without seemingly getting patient consent.

Meta Pixel is a JavaScript code snippet that is employed to trace the activity of a visitor on a website. According to Meta, tracked activity shows up in the Ads Manager and is used to gauge the performance of ads, determine custom viewers for ad targeting, for active ads campaigns, and to evaluate the performance of your site’s conversion funnels.

Meta Pixel can gather various information, such as details concerning the buttons clicked as well as the pages visited with the click of those buttons, and the information obtained is associated with the person through their IP address, which determines the device used by the visitor. That data is then instantly provided to Facebook. On the website of a hospital, the tracker can acquire a user’s IP address and associate it with sensitive information, for example when that person had clicked to book a consultation.

The Markup conducted the study and co-published the report with STAT. The Markup discovered that Meta Pixel tracking is used in one-third of the appointment scheduling pages of the hospital. For example, the researchers found that when visitors to the University Hospitals Cleveland Medical Center click on the ‘Schedule Online’ button on a physician’s page, Meta Pixel routed the text of the button to Meta, together with the physician’s name and the search phrase, which for that individual was pregnancy termination. It was the same story with a number of other websites, which provided details obtained from the choice made from dropdown menus that furnished data concerning the patient’s condition, for example, Alzheimer’s disease.

A lot more worrisome is that for 7 hospital networks, Meta Pixel was set up within password-protected patient websites. The researchers discovered that five of the hospitals were transmitting information to Meta regarding real patients who agreed to take part in the Pixel Hunt project, which The Markup and Mozilla Rally manage. Involvement in that project required sending the data to The Markup regarding the websites they visited, which exposed the information being sent to Meta such as patients’ prescription drugs, descriptions of their allergic responses, and details about their forthcoming physician’s consultations.

The Markup stated there seemed to be no business associate agreements signed by the hospitals and Meta, which is required to permit the data sharing as per the HIPAA Rules. Also, it seemed that permission from patients allowing the transmitting of information to Meta was not acquired, meaning probable HIPAA violations.

The 7 hospital systems affected were Edward-Elmhurst Health, Community Health Network, FastMed, Piedmont, Renown Health, Novant Health, and WakeMed. All except Renown Health and FastMed had taken away the Meta Pixel after knowing about the data transfer by The Markup when the report was published, together with 6 hospitals from the 33 that were found to have the Meta Pixel on their appointment reservation pages.

The Markup stated in its report that the 33 hospitals that got Meta Pixel installed on their appointment webpages have jointly reported over 26 million patient admissions and outpatient appointments in 2020, and this research just looked at the top 100 hospitals. More may likewise be sharing information with Facebook via Meta Pixel.

The Markup mentioned it could not figure out how Meta/Facebook utilized the information transmitted using Meta Pixel, including for giving targeted advertisements. Meta representative, Dale Hogan, released a statement based on the results of the study. When Meta’s indicators filter systems identify that a company is transmitting potentially sensitive health information from their application or website by using Meta Business Tools, which in some instances can occur by mistake, that potentially sensitive information will be taken out before it could be saved in their adverts systems.

HHS Offers Guidance for Healthcare Companies to Improve Their Cyber Posture

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has issued guidance for healthcare companies to aid them to strengthen their cyber posture. Cyber posture is the phrase used to refer to the overall toughness of an company’s cybersecurity, practices for forecasting and stopping cyber threats, and the capability to proceed to work while addressing cyber threats.

To abide by the HIPAA Security Rule, companies must employ safety measures to protect the integrity, availability, and confidentiality of electronic protected health information (ePHI), and minimize threats to a low and tolerable level.

Technical safety measures are necessary to keep ePHI secure and private and will make sure that ePHI could be retrieved in case of a detrimental cyberattack. A strong cybersecurity plan can assist to reduce the problems prompted in case of an attack, can stop the stealing of sensitive data like ePHI and intellectual property, restrict the chance of misuse of patient information, and will assist in improving customer trust.

HC3 specifies the number of steps that could be taken to enhance cyber posture for instance performing frequent security posture checks, constantly tracking networks and software programs for vulnerabilities, identifying which departments have problems and designating managers to particular challenges, and routinely examining breaks in security measures, identifying key security metrics, and making incident response and disaster rescue programs.

HC3 additionally advises adopting the cybersecurity protocols specified in CISA Insights for avoiding cyber threats. These guidelines can help limit the probability of a detrimental cyber intrusion from occurring, will help companies quickly identify attacks that are happening, will make it quicker to perform an effective breach response and increase the company’s toughness to detrimental cyberattacks.

HC3 focuses on the safety risk analysis, which is an element of compliance with the HIPAA Security Rule that continues to be troublesome for a lot of healthcare companies. The safety risk assessment involves figuring out sources of threat, dangerous events, and vulnerabilities, identifying the possibilities of exploitation and the potential effect, and assessing threat as a mix of chance and impact.

Healthcare companies can then utilize the data supplied by risk analysis to prioritize the management of risks. The Office for Civil Rights has lately launched a different version of its Security Risk Assessment program, to help small- and medium-sized healthcare companies do their safety risk analysis.

Aesto Health and Motion Picture Industry Health Plan Report Data Breaches

Software company Aesto Health based in Birmingham, AL provides services to assist healthcare companies and medical providers in sharing, organizing, and securing patient data. It has been reported that the company just encountered a cyberattack that resulted in disruption to some internal information technology systems.

Aesto Health discovered the security breach on March 8, 2022, and took steps right away to stop the unauthorized person from further accessing its systems. A third-party computer forensics firm helped with the investigation and confirmed that an unauthorized person acquired access to the impacted systems starting December 25, 2021 until March 8, 2022.

Throughout that time frame, selected files had been extracted from a backup storage unit that contain radiology reports originally from Osceola Medical Center (OMC) in Wisconsin. An evaluation of the impacted records affirmed they comprised the protected health information (PHI) of patients, such as names, birth dates, doctor names, and reports of results associated with radiology imaging done at OMC. There were no Social Security numbers or financial records accessed or stolen. The systems and electronic medical records of OMC were not affected. Aesto Health mentioned it implemented additional safety measures and technical security measures to give added protection and monitoring of its systems.

The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 17,400 patients were affected.

Motion Picture Industry Health Plan Notifies Members Regarding Unauthorized Disclosure of PHI

The Motion Picture Industry Health Plan (MPIHP) has reported an impermissible disclosure of the PHI of 16,838 plan members because of a mismailing incident. MPIHP discovered a mailing error on March 31, 2022. Because of that incident, the information of plan members was mailed to the wrong addresses. In all cases, the letter supposed to be received by one MPIHP member was mailed to the wrong MPIHP member.

The letters did not include any medical data or health claims data. They only included the name, address, hours worked, the last four numbers of the Social Security number of a member, and the latest dates of eligibility. MPIHP already sent the notification letters to inform all the impacted persons to the previous address given by those members. Impacted persons received offers of free one-year identity monitoring services. MPIHP mentioned that it found the specific cause of the error and took steps to avoid the same mismailing incident from happening again.

2 Million Patients Affected by Shields Health Care Group Cyberattack

The protected health information (PHI) of around 2 million people was potentially compromised in a cyberattack on Shields Health Care Group. Shields Health Care Group based in Massachusetts provides ambulatory surgical center management and medical imaging services all over New England. The group detected suspicious activity within its network on March 28, 2022. Fast action was done to secure its system and stop continuing unauthorized access. Third-party forensics professionals assisted with the investigation and confirmed the nature and magnitude of the security breach.

The forensic investigation revealed that an unauthorized individual got access to some Shields systems from March 7, 2022 to March 21, 2022. Shields stated that a security advisory was activated on March 18, 2022, which upon investigation did not appear to have been a data breach at the time. Since then, it was confirmed that throughout that period of access, selected data was taken from its systems. Shields mentioned it didn’t know of any instances of attempted or actual patient data misuse.

An analysis of the files that were extracted from its systems or may have been accessed by unauthorized persons revealed that the following types of information were impacted: Full name, Social Security number, birth date, home address, provider data, diagnosis, billing details, insurance number and details, medical record number, patient ID, and other medical or treatment data. Shields is still reviewing the affected data and will issue breach notifications to impacted people on behalf of all affected facility partners after that review is finished.

After the discovery of the attack, quick action was undertaken to protect its network and records, selected systems were rebuilt, and more safeguards were put in place to better secure patient information. Cybersecurity steps will be evaluated and improved for better, continuing information safety.

The breach is already listed on the HHS’ Office for Civil Rights Breach website as affecting 2,000,000 persons. Shields stated that those people had received treatment at the 56 facility partners listed below:

  • Cape Cod Imaging Services, LLC (a Falmouth Hospital Association, Inc business associate)
  • Cape Cod Radiation Therapy Service, LLC
  • Cape Cod PET/CT Services, LLC
  • Central Maine Medical Center
  • Emerson Hospital
  • Falmouth Hospital Association, Inc.
  • Fall River/New Bedford Regional MRI Limited Partnership
  • Franklin MRI Center, LLC
  • Lahey Clinic MRI Services, LLC
  • Mercy Imaging, Inc.
  • Massachusetts Bay MRI Limited Partnership
  • MRI/CT of Providence, LLC
  • Newton-Wellesley Imaging, PC
  • Newton Wellesley Orthopedic Associates, Inc.
  • Newton-Wellesley MRI Limited Partnership
  • NW Imaging Management Company, LLC (a Newton Wellesley Orthopedic Associates, Inc. business associate)
  • Northern MASS MRI Services, Inc.
  • PET-CT Services by Tufts Medical Center and Shields, LLC
  • Radiation Therapy of Winchester, LLC
  • Radiation Therapy of Southeastern Massachusetts, LLC
  • Shields CT of Brockton, LLC
  • Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a
  • SportsMedicine Atlantic Orthopaedics P.A. business associate)
  • Shields Imaging at Anna Jaques Hospital, LLC
  • Shields Healthcare of Cambridge, Inc.
  • Shields Imaging at University Hospital, LLC
  • Shields Imaging Management at Emerson Hospital, LLC (an Emerson Hospital business associate)
  • Shields Imaging at York Hospital, LLC
  • Shields Imaging of Eastern Mass, LLC
  • Shields Imaging of North Shore, LLC
  • Shields Imaging of Lowell General Hospital, LLC
  • Shields Imaging of Portsmouth, LLC
  • Shields Management Company, Inc.
  • Shields Imaging with Central Maine Health, LLC (a Central Maine Medical Center business associate)
  • Shields PET/CT at CMMC, LLC
  • Shields MRI & Imaging Center of Cape Cod, LLC
  • Shields PET-CT at Cooley Dickinson Hospital, LLC
  • Shields MRI of Framingham, LLC
  • Shields PET_CT at Berkshire Medical Center, LLC
  • Shields PET-CT at Emerson Hospital, LLC
  • Shields Signature Imaging, LLC
  • Shields Radiology Associates, PC
  • Shields Sturdy PET-CT, LLC
  • Shields-Tufts Medical Center Imaging Management, LLC (a Tufts Medical Center, Inc. business associate)
  • South Shore Regional MRI Limited Partnership
  • Southeastern Massachusetts Regional MRI Limited Partnership
  • South Suburban Oncology Center Limited Partnership
  • SportsMedicine Atlantic Orthopaedics P.A.
  • Tufts Medical Center, Inc.
  • UMass Memorial MRI – Marlborough, LLC
  • UMass Memorial HealthAlliance MRI Center, LLC
  • UMass Memorial MRI & Imaging Center, LLC
  • Winchester Hospital / Shields MRI, LLC

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A New York Federal Judge dismissed a class-action lawsuit filed against Alliance HealthCare Services and NorthEast Radiology PC because of a data breach that exposed the protected health information (PHI) of over 1.2 million people for lack of standing.

The lawsuit was submitted in July 2021 on behalf of plaintiffs Lisa Rosenberg and Jose Aponte II, whose PHI was compromised due to a wrong configuration of the firms’ Picture Archiving Communication System (PACS), which included medical images and related patient data. In late 2019, security researchers found the compromised information and informed the affected organizations — Northeast Radiology along with its vendor, Alliance HealthCare Services.

Based on the lawsuit, more than 61 million medical photos were exposed along with the sensitive data of 1.2 million individuals. Northeast Radiology submitted the breach report to the HHS’ Office for Civil Rights indicating that 298,532 persons were impacted. The lawsuit alleged the defendants had applied insufficient security safeguards to keep the privacy of patient information safe, which enabled unauthorized persons to access the medical pictures and other PHI from April 14, 2019 to January 7, 2020. The plaintiffs claimed that they are facing an ongoing and imminent danger of identity theft and fraud since protected health information cannot be canceled. They state they now have to continually keep track of their accounts and utilize credit and identity theft monitoring services, and expend more time and effort to avoid and mitigate against possible future losses.

It is common nowadays for lawsuits to be filed against healthcare companies subsequent to data breaches, however, the lawsuits usually do not succeed because of the failure to present proof of harm resulting from the compromise or theft of personal data, just like the case here. Federal Judge for the Southern District of New York, Judge Vincent L. Bricetti, dropped the legal case because the plaintiffs did not claim a cognizable injury. The judge made a decision that the mere exposure of sensitive information could not establish that the plaintiffs were harmed by the incident and that the threat of future harm from the exposure of their sensitive data was very assuming to make standing.

Although the data breach report was filed with the HHS’ Office for Rights stating that about 298,532 individuals were affected, NorthEast Radiology was just able to affirm that the information of 29 patients had certainly been subjected to unauthorized access, and the two victims named in the legal action were not included in that small group.

Judge Bricetti used as reference the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC. He used the three-factor test established for figuring out if allegations of harm related to a data breach resulted to a cognizable Article III injury-in-fact:

  1. whether the plaintiffs’ information was exposed because of a targeted attempt to acquire that data;
  2. whether any part of the dataset was misused, even though the plaintiffs themselves haven’t encountered identity theft or fraud; and
  3. whether the type of exposed information is sensitive such that the risk of identity theft or fraud is high.

Judge Bricetti turned down all of the plaintiffs’ claims for breach of contract, breach of implied contract, negligence, negligence per se, intrusion upon seclusion, and violations of New York General Business Law Section 349.

Former IT Consultant Charged with Deliberately Causing Harm to Healthcare Company’s Server

An information technology consultant who worked as a contractor at a suburban healthcare organization in Chicago has been charged with illegally getting access to the firm’s network and deliberately causing harm to a protected computer.

Aaron Lockner, age 35, resident of Downers Grove, IL, worked for an IT organization that had a contract with a healthcare firm to offer security and technology services. Lockner was given access to the network of the healthcare organization’s clinic in Oak Lawn, IL, to perform the contracted IT solutions.

In February 2018, Lockner applied for a work position with the healthcare company, however his application was rejected. Lockner was then laid off from the IT company in March 2018. A month afterwards, on or about April 16, 2018, Lockner is alleged to have remotely obtained access to the computer system of the healthcare organization without consent. Based on the indictment, Lockner intentionally brought on the transmission of a program, material, code, and command, and because of his actions, purposefully prompted ruin to a protected PC. The computer intrusion impaired medical tests, treatment, and the care of several people.

Locker is indicted on one count of deliberately causing ruin to a protected computer. The scheduled arraignment will be held on May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. In case convicted, Lockner might serve around 10 years in federal jail.

This case illustrates the dangers posed by insiders. The newly published 2022 Verizon Data Breach Investigations Report shows the danger of attacks by external hackers, which surpass insider attacks by 4 to 1, however, safeguards additionally must be put in place to safeguard against insider threats.

In this situation, the supposed access happened two months following the rejection of the application for employment and one month after termination from the IT firm. When people leave work, voluntarily or if dismissed, access rights to systems should be promptly terminated and tests of systems performed to identify any malware or backdoors that could have been installed.

There were several instances of dissatisfied IT contractors keeping remote access to networks after dismissal, with one particular case at a law firm finding an ex-IT worker setting up a backdoor and consequently accessing the system and purposefully causing harm after leaving work. In that instance, the individual was sentenced to 115 months in a federal penitentiary and was instructed to pay $1.7 million in reparation.