Ransom Disclosure Act Demands Disclosure of Payments to Ransomware Gangs Within 48 Hours

New legislation was created that calls for ransomware attack victims to reveal any ransom payments made to the attackers to the Department of Homeland Security (DHS) in 48 hours after paying the ransom.

Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) introduced the Ransom Disclosure Act. The bill aims to give the DHS the information it needs to look into ransomware attacks and enhance information about how cybercriminal enterprises work, therefore permitting the DHS to obtain a better idea of the ransomware threat experienced by the United States.

From 2019 to 2020, ransomware attacks increased by 62% globally, and by 158% in America. The Federal Bureau of Investigation (FBI) had gotten 2,500 complaints concerning ransomware attacks in 2020, 20% higher compared to the earlier year and $29 million more reported losses because of ransomware attacks in 2020. Not all ransomware attacks are documented. A lot of victims decide to silently pay the hackers to get the keys to decrypt their files and avoid the public disclosure of any breached data in the attack.

Chainalysis thinks ransomware gangs globally got paid about $350 million in cryptocurrency in 2020, which is increased by 311%. Attacks have persisted to increase in 2021. As per Check Point’s mid-year security report, the first half of 2021 had 93% more ransomware attacks than the equivalent time period last year.

Just as the ransomware attack on Colonial Pipeline showed, the people behind these attacks present a considerable national security danger. That attack led to the closure of a big fuel pipeline for about a week. The attack on JPS Foods impacted food production, and the big number of attacks on the healthcare sector has affected the capability of healthcare providers to provide treatment to patients. This year, CISA stated ransomware attacks slow down care and impact patient outcomes, and there was a fatality in the U.S. which is claimed to have been because of a ransomware attack.

Ransomware attacks continue to go up considering that they are profitable and provide ransomware groups and their affiliates a very good profit. There is also little threat of being captured and brought to courts. Sadly, investigations of ransomware gangs may be hampered by insufficiency of information, therefore the intro of the Ransom Disclosure Act.

Although the FBI prompts the ransomware attacks reporting to help investigations, it is not obligatory. Sad to say, since victims are not mandated to report ransomware attacks or payments to federal authorities, the vital data required to understand these cybercriminal groups is lacking to deter these intrusions, stated Congresswoman Ross. This law will implement crucial reporting requirements, which include the amount of ransom demanded by the attackers and paid, and the type of currency employed. The U.S. can’t continue to battle ransomware attacks without knowing this information.

The Ransom Disclosure Act will necessitate:

  • Ransomware victims (except individuals) to make known any ransom payments in 48 hours after making the payment, which includes the amount, currency utilized, and any details that were collected on the entity demanding the ransom.
  • The DHS will need to publish data compromised during the prior year concerning the ransoms paid, excluding identifying data related to the entities who paid.
  • The DHS will have to create a website for persons to voluntarily report payments of ransom.
  • The Secretary of Homeland Security will be asked to perform research on commonalities among ransomware attacks and the magnitude to which cryptocurrency was needed the attacks, and give recommendations for safeguarding information systems and boosting cybersecurity.

Guidance about HIPAA and COVID-19 Vaccination Status Disclosures Published by OCR

The Department of Health and Human Services’ Office for Civil Rights has given guidance to instruct people regarding the application of the Health Insurance Portability and Accountability Act (HIPAA) Rules to disclosures of COVID-19 vaccination status data and requests from persons regarding whether a man or woman has received vaccination against COVID-19.

OCR pointed out in the guidance that HIPAA is applicable to HIPAA-governed entities. HIPAA-covered entities refer to the healthcare providers, health plans, and healthcare clearinghouses that carry out routine electronic transactions, and business associates of those entities that get access to or use protected health information (PHI). OCR informed the public that the HIPAA Privacy Rule doesn’t apply to employers or employment data. That comprises details accumulated or kept by HIPAA-governed entities in their capacity as an employer.

OCR discussed how HIPAA is applicable to COVID-19 vaccination details in specific scenarios by means of a website Q&A and says:

The HIPAA Privacy Rule can’t forbid businesses or men and women from inquiring if their customers or clients have acquired a COVID-19 vaccine. Persons who are employed at a HIPAA-covered entity or business associate are not banned from questioning if somebody has been given a vaccine.

The HIPAA Privacy Rule won’t stop customers or clients of an organization from revealing whether or not they have gotten a COVID-19 vaccine.

The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.

The HIPAA Privacy Rule doesn’t hinder a covered entity or business associate from demanding its staff members to reveal to their employers or other persons whether or not the staff members have acquired a COVID-19 vaccine.

OCR has established that, normally, the HIPAA Privacy Rule discourages a doctor’s office from sharing a person’s PHI, such as COVID-19 vaccination data, to the patient’s company or other parties. Such disclosures are permitted if in keeping with other rules and appropriate ethical principles, for example disclosing to a health plan to get paid for providing the vaccine and sharing of such data to public health authorities.

OCR spelled out that there are instances when a HIPAA-covered healthcare facility is granted to disclose PHI pertaining to a patient’s vaccination condition to the person’s boss.

This is solely possible to enable the workplace, to perform an analysis associated with medical monitoring of the workplace (e.g., surveillance of the spread of COVID-19 in the labor force), or to examine if the person has a work-connected health issue. In such circumstances, disclosures are merely authorized if all the subsequent conditions are satisfied:

The covered hospital is giving the health care service to the man or woman as requested by the individual’s boss or as a fellow member of the employer’s employed pool.

The PHI that is shared involves results about work-associated health issues or workplace-linked medical monitoring.

The company needs the information so as to follow its commitments under the appropriate governing bodies of the Mine Safety and Health Administration (MSHA), the Occupational Safety and Health Administration (OSHA), or state legislation with the same goal.

The covered health care company presents written notice to the patient that the PHI linked to the medical monitoring of the work area and work-connected ailments will be revealed to the manager.

This guidance is being issued to support individuals, organizations, and health care entities to know when HIPAA can be applied to disclosures about COVID-19 vaccination state and to make certain that they already have the details they need to have to make well-informed judgments concerning securing themselves and other individuals from COVID-19.

Lisa J. Pino is the New HHS’ Office for Civil Rights Director

Lisa J. Pino is now the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR). She replaced Robinsue Frohboese, who was the acting OCR Director after the resignation of Roger Severino in the middle of January.

It is the primary responsibility of OCR to ensure that covered entities comply with the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification Rules, Patient Safety Rule, and the Patient Safety and Quality Improvement Act, in addition to the enforcement of federal civil rights, conscience, and religious freedom legislation.

Pino from New York City speaks Spanish and is the first-generation daughter of immigrant parents. She finished her B.A., M.A., and J.D. at Arizona State University with honors. Then, she took a leadership program at Harvard Kennedy School as a National Hispana Leadership Institute Fellow.

Pino was a legal aid lawyer in the Southwest, fighting for migrant farm workers’ rights. Her civil rights activities continued as she worked for the United States Department of Agriculture (USDA) as USDA Deputy Assistant Secretary for Civil Rights and USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP).

While working at the USDA, Pino drafted USDA’s first gender identity anti-discrimination program rules as well as its first USDA limited English proficiency guidance. She played a major role in making sure that minority farmers get their benefits granted via class action settlements with her guidance of the outreach and engagement activities of the USDA.

Pino was also a senior executive service appointed by President Barack Obama and worked as Senior Counselor at the U.S. Department of Homeland Security (DHS). There, she took a major function in the mitigation of the biggest federal data breach ever, the hacking of the information of 4 million federal employees and 22 million surrogate profiles in 2015, by negotiating again the 700 vendor procurements and the setting up of new cybersecurity regulatory program.

Lately, Pino worked as New York State Department of Health’s Executive Deputy Commissioner, which is the agency’s second top executive position. During this time, Pino led the New York’s operational COVID-19 pandemic response and the program development for Medicare, Medicaid, Nutrition Program for Women, Infants, and Children (WIC), Wadsworth Laboratories, Hospital and Alternative Care Facility, AIDS Institute, Center for Environmental Health, and Center for Community Health.

Lisa is an outstanding public servant. Her range of experience and administration expertise, in particular her work in improving civil rights laws and policy at the U.S. Department of Agriculture (USDA) at the time of the Obama-Biden Administration, is going to help make sure that the rights of each individual throughout the country are protected.

PHI of Dignity Health Patients Contained in Stolen Laptop Computer

Resource Anesthesiology Associates (RAA) of California has begun informing a number of patients of Mercy Hospital Southwest and Dignity Health’s Mercy Hospital Downtown about the theft of a laptop computer that contains some of their protected health information (PHI).

RAA of California is a provider of anesthesiology services at Dignity Health hospitals, which involves getting access to patient information. On July 8, an RAA of California administrator’s laptop computer was stolen. RAA already reported the theft to law enforcement, however, the device is not yet retrieved.

RAA of California carried out an investigation to find out which patient data was saved on the laptop and can possibly be viewed. The review affirmed that these types of data were saved on the laptop: Names, addresses, birth dates, names of providers, dates of service, diagnoses and treatment data, medical insurance data, and other data associated with patients’ health care.

The laptop computer has password protection, which gives it a level of security against unauthorized access. Nevertheless, passwords could be guessed, therefore there is a chance that data on the laptop computer can be accessed by unauthorized persons. RAA of California stated that currently there is no proof identified that suggests the access or misuse of any data saved on the laptop computer.

RAA of California is convinced there is a low risk of patient data misuse, but, as a safety precaution, it is giving impacted persons a free membership to identity theft protection services via IDX. Patients will get a year of CyberScan monitoring and are covered by a $1 million identity theft insurance policy, which comes with completely managed identity theft recovery services.

Jackson Health Investigates Social Media HIPAA Violation Involving a Nurse

Jackson Health is investigating a privacy violation after photos of a baby that has a birth defect were posted on Facebook by a nurse.

A nurse who was employed in the neonatal intensive care unit at Jackson Memorial Hospital shared two pictures on Facebook of a baby having gastroschisis – an uncommon birth defect of the abdominal wall that could make the intestines stick out from the body. The pictures included the captions, “Your intestines posed (sic) to be inside not outside baby! #gastroschisis” and “My night was going great then boom!” The troubling photos were published on accounts that belong to Sierra Samuels.

The sharing of images of patients on social platforms without authorization is a serious violation of patient data privacy. Pictures of patients are considered as protected health information (PHI) and publishing pictures on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) except if prior consent is acquired from the patient.

HIPAA calls for healthcare organizations to provide privacy policy training to personnel. Training should be given within a sensible time frame after a staff joins a covered entity’s staffing and training need to be routinely reinforced. The best practice is to give refresher HIPAA privacy instruction yearly. A sanctions policy should also be created and enforced that clearly states the sanctions workers will deal with in case they violate the HIPAA Laws.

After being informed about the social media posts Jackson Health started an investigation into the privacy breach and quickly placed the nurse on administrative leave impending the outcome of the investigation. Safeguarding patient privacy is the first concern at Jackson Health System. Any probable privacy breach is taken seriously and carefully investigated, stated a Jackson Health spokesperson. Jackson Health additionally confirmed that when staff break patient privacy, in spite of the training, they will be under disciplinary action which may include suspension or dismissal.

OCR Issues 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The 20th financial penalty under the HIPAA Right of Access enforcement initiative has been issued by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Pediatric care provider Children’s Hospital & Medical Center (CHMC) based in Omaha, Nebraska, was required to pay a penalty fee of $80,000 to resolve an alleged HIPAA Right of Access violation and to perform a corrective action plan to take care of the non-compliance found by OCR. OCR will check CHMC’s compliance for one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act provided persons the right to get a copy of their protected health information (PHI) saved by a HIPAA-covered entity, and for parents and legal guardians to acquire a copy of the healthcare data of their minor children. HIPAA-covered entities should give the requested documents within 30 days and may only impose a reasonable cost-based fee for furnishing copies. On several occasions, covered entities could get a 30-day extension, making the maximum time frame for giving the files 60 days from the date the request is gotten.

If people feel their HIPAA rights were violated, they are unable to take legal action against a HIPAA-covered entity regarding the HIPAA violation, nevertheless, they can report a complaint to OCR. In this case, OCR received a complaint from a parent who stated CHMC did not provide her prompt access to her young daughter’s health data.

CHMC got the parent’s request and gave some of her daughter’s medical information but failed to deliver all the requested records. The parent likewise made a few follow-up requests to CHMC. OCR reviewed the incident and confirmed the parent’s request for a copy of her late daughter’s health information on January 3, 2020. A few of the requested files were furnished; nevertheless, the remaining data needed to be acquired from some other CHMC division. A number of the remaining files were delivered on June 20, 2020, with the remainder presented on July 16, 2020. OCR established that this was a HIPAA Right of Access – 45 C.F.R. § 164.524(b) violation.

Aside from the financial charges, CHMC needs to review and update its guidelines and procedures connected to the HIPAA Right of Access, present the policies to OCR for evaluation, and deliver the approved policies to the staff and make certain training is made available.

In general, HIPAA necessitates covered entities to give parents timely access to their minor children’s medical data, if the parent is the child’s personal representative, stated Acting OCR Director Robinsue Frohboese. OCR’s Right of Access Initiative sustains patients’ and personal representatives’ essential right to their health information and highlights the benefit of all covered entities’ conformity with this vital right.

California DOJ Should be Informed Regarding Breaches of the Health Data of At Least 500 California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) demands covered entities and business associates to give notices to the HHS’ Office for Civil Rights (OCR) regarding data breaches and healthcare companies are furthermore directed to abide by state data breach notification regulations.

A lot of states have launched their own data privacy regulations, which usually demand the sending of notifications to the proper state Attorneys General in case a data breach surpasses a specific limit. States are permitted by law to bring civil actions against healthcare companies that fall short to send breach notifications as required by both HIPAA and state rules. In California, the restriction for reporting breaches is consistent with HIPAA. In case a data breach is encountered that affects 500 and up California citizens, the California Department of Justice (DOJ) should be informed.

A short while ago, there were a number of occasions where the California DOJ was not advised concerning ransomware attacks on California healthcare establishments, even if the personal and protected health information (PHI) of California locals has possibly been exposed during an attack.

California Attorney General Rob Bonta has lately given a bulletin instructing all entities that keep the confidential health-linked data of California citizens of their accountabilities to report data breaches as required by the California law (Civil Code section 1798.82). When there is a breach of the health information of 500 or higher California residents, it is required to send a breach report to the Office of the Attorney General. After that, California DOJ publishes the breach announcement on its web page to make sure the general population is aware of the breach to permit victims to take proper action to secure themselves against identity theft and fraud. Personal notices should additionally be given to impacted people.

Timely breach notice helps impacted people offset the possible losses that might occur because of the bogus use of their personal data acquired from a breach of health information. Consequently, it is essential for providers of health care to be proactive and cautious regarding decreasing their risk for ransomware attacks and to fulfill their health data breach notification responsibilities to safeguard the public.

In the bulletin, Attorney General Bonta additionally advised healthcare companies to take proactive actions to safeguard patient records against ransomware attacks.

State and federal health data privacy frameworks, such as the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), require healthcare entities and companies that deal with health information to determine suitable processes to make certain the privacy of health-related details, such as security measures that could help avoid the infection of malware, like ransomware, to secure consumers’ healthcare-associated data from unauthorized use and disclosure.

Healthcare institutions are urged to take the listed proactive measures:

  • Update operating systems and software keeping health information
  • Use security patches immediately
  • Set up and keep antivirus software updated
  • Provide regular data security training to workers, which include instruction concerning phishing attacks
  • Limit users when downloading, installing, and running uncertified software programs
  • Maintain and routinely check the data backup and recovery program for all critical data

Cyberattack Forces Memorial Health System to Transfer Patients to Other Hospitals

Memorial Health System based in Marietta, OH was compelled to reroute emergency care because of a supposed ransomware attack.

When the cyberattack happened, the health system was forced to power down IT systems to control the attack. Emergency procedures were enforced as a result of the inability to access vital IT systems, and the employees are using paper charts.

Memorial Health System runs three hospitals in Ohio and West Virginia, all were affected by the attack. Because electronic health records were not accessible, patient safety was possibly put in danger, therefore the decision was taken to move emergency patents.

Memorial Health System will still admit: patients with STROKE, STEMI, and TRAUMA at Marietta Memorial Hospital. Belpre and Selby are on diversion for all patients as a result of the availability of radiology. It is best for all other hospital patients to be taken to the closest accepting facility. If all area hospitals are on diversion, patients will be moved to the emergency section close to where the emergency took place. This diversion will be ongoing until IT systems are re-established.

All urgent surgical sessions and radiology exams the following day were delayed; nevertheless, all primary care consultations are proceeding as planned, though patients with bookings were advised to give a call ahead of time to confirm.

Memorial Health System President and CEO Scott Cantley stated that preserving the safety and security of patients and their proper care is the company’s top priority and they are doing everything they can to limit disruption. Staff at the Selby, Marietta Memorial, and Sistersville General Hospital are utilizing paper and pen while systems are being fixed, and data retrieved.

The hospital system launched an investigation into the breach, however, it is too soon to know how much data, if any, were exposed in the attack. Memorial Health System officials stated they were no evidence found yet that indicates the attackers got employees or patient information. IT experts are presently systematically investigating the breach to find out exactly how hackers acquired access to its systems, the actions they took as soon as access was obtained, and which systems and files they viewed or obtained.

The cyberattack report was submitted to the FBI and the Department of Homeland Security, and the health system is working closely with its information technology partners to reestablish its systems and data as soon as possible.

Bleeping Computer has apparently seen proof showing the Hive ransomware threat group was accountable for the attack. Like a lot of other ransomware operations, the Hive ransomware gang is recognized for stealing information prior to utilizing ransomware and has a leak web page that is used to compel victims into paying the ransom demand.

Bleeping Computer says proof was acquired suggesting databases that contain the protected health information (PHI) of about 200,000 patients were stolen in the attack, with the databases included names, Social Security numbers, and dates of birth.

Dynamic Health Care Malware Attack Impacts Several Illinois Nursing and Rehabilitation Facilities

Patients and employees at a number of nursing and rehabilitation centers located in Illinois are being informed about the potential compromise of some of their protected health information (PHI) due to a cyberattack on Dynamic Health Care, Inc.

Dynamic Health Care offers administrative, consulting, and back-office services to nursing and rehabilitation establishments in Illinois that need access to selected staff and patient information. On November 8, 2020, Dynamic Health Care found out that malware was installed on a number of computers inside its network. The malware incident was investigated to identify the complete nature and extent of the incident.

Dynamic Health Care stated that an unauthorized person got access to its network from November 8, 2020 to January 7, 2021. During that time when the attacker had access to the network, the attacker possibly read or obtained data concerning employees and nursing home residents at facilities such as Waterfront Terrace, Woodbridge Nursing Pavilion, Bridgeview Health Care Center, Ottawa Pavilion, Willow Crest Nursing Pavilion, and River North of Bradley Health & Rehabilitation Center.

A thorough analysis was done of all records on the impacted computers, which affirmed the exposure of sensitive data. The types of data likely breached in the attack differed from person to person and might have contained name, birth date, Social Security number, name of treating nursing care facility, dates of admission and/or discharge, and resident ID number.

Dynamic Health Care has sent breach notification letters to all persons impacted by the incident. Dynamic Health Care reported that it had implemented strict security procedures to secure all data in its keeping, however, these procedures have already been toughened right after the breach. Employees got more training and education to help avoid other breaches later on.

Overlake Hospital Medical Center Proposes Settlement to Close the Data Breach Case

Overlake Hospital Medical Center based in Bellevue, WA has presented a settlement to deal with a class-action lawsuit it is facing. Victims of a data breach in December 2019 filed a lawsuit because of the exposure of the patients’ demographic information, medical insurance information, and health data.

The breach occurred because of a phishing attack that was identified on December 9, 2019. The investigation revealed that unauthorized people acquired access to the email accounts of a number of employees. One of the email accounts was compromised between December 6, 2019 and December 9, 2019, and the others were compromised on December 9 for a few hours.

The investigation failed to find evidence of theft or misuse of patient information, however, it was not possible to rule out unauthorized access to protected health information (PHI) and data exfiltration. The PHI of approximately 109,000 patients was in the compromised email accounts.

Affected persons were informed about the breach starting on February 4, 2020 and Overlake Hospital Medical Center took a number of steps to enhance security, including employing multi-factor authentication, altering email retention policies, and providing additional training to workers. Overlake Hospital Medical Center spent $148,590 on upgrades to strengthen security since the breach occurred and has decided to do more tweaks totaling $168,000 annually for the following 3 years.

According to the Richardson V. Overlake Hospital Medical Center lawsuit filed in the Superior Court of King County in Washington, Overlake Hospital was negligent for failing to stop unauthorized people from obtaining systems access. The lawsuit additionally alleged intrusion upon seclusion/invasion of privacy, breach of confidence, breach of express contract, breach of fiduciary duty, and breach of implied contract. Although 109,000 persons were advised regarding the breach, only 24,000 people are included in the class since all other patients did not have their PHI breached.

The lawsuit stated the hospital didn’t employ reasonable safeguards to protect the privacy of HIPAA-covered information and did not give enough notice concerning the data breach. Overlake Hospital Medical Center has rejected all claims stated in the lawsuit and all charges of wrongdoing. The option was made to resolve the lawsuit with no admission of liability.

Under the stipulations of the settlement, two types of claims may be submitted. Class members are eligible to claim as much as $250 for specific out-of-pocket expenses sustained due to the breach, such as bank fees, phone calls, postage fees, fuel for local travel, and around three hours of documented time at $20 hourly, provided a minimum of one full hour was expended on mitigations. It is likewise possible to get the cost of credit report fees, and credit monitoring and identity theft protection services applied from February 4, 2020 to the date of the Court’s preliminary approval of the settlement.

Claims for extraordinary expense refund could be submitted for as much as $2,500. These claims should include proof of losses that were more probable than not suffered because of the breach between December 1, 2019 and the end of the claim period.

A fairness hearing has been slated for Sept. 10, 2021.

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice made an announcement about nine residents in San Diego who were charged in two independent indictments connected with the theft of patients’ protected records and the submission of fake claims for pandemic unemployment insurance.

Based on the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were provided to persons affected by the COVID-19 pandemic, who wouldn’t, under regular situations, be qualified for payments.

In one of the cases, Matthew Lombardo, a Scripps Health employee before, was charged with felony HIPAA violations for acquiring and sharing the protected health information (PHI) of patients to his supposed co-conspirators. Lombardo was additionally charged with conspiracy to commit wire fraud, together with three alleged co-conspirators – Konrad Piekos, Dobrila Milosavljevic, and Ryan Genetti. Genetti, Piekos, and Milosavljevic were additionally charged with aggravated identity theft and are claimed to have utilized the stolen data to submit bogus claims for pandemic unemployment insurance.

The San Diego Sheriff’s Department had started a traffic stop on Konrad Piekos for driving without a license plate. When cops went to the vehicle, they noticed an assault rifle in plain sight inside his vehicle. Piekos acknowledged that he possessed an unregistered assault rifle, and the cops that searched his vehicle found a number of loaded firearms and ammunition. After getting a warrant to search Piekos’ house, the police saw a few other firearms and ammo, quantities of heroin and fentanyl, and cell phones. After getting warrants to search the cell phones, detectives discovered texts among Genetti, Piekos, and Lombardo talking about the dubious distribution of narcotics, guns, and a way to get unemployment benefits utilizing other people’s personal identifying information (PII).

Piekos and Genetti had plotted to fraudulently acquire PUA benefits in July 2020, with Lombardo becoming a member of the scheme last August 2020. Lombardo is alleged to have employed his position as a patient financial service agent to get access to patients’ PII, which he then distributed to Piekos, Milosavljevic, and Genetti beginning on August 15, 2020, as per the indictment. Scripps Health stopped Lombardo on April 14, 2021.

In another case, Genetti and three defendants Garrett Carl Tuggle, Lindsay Renee Henning, and Salvatore Compilati – were accused of conspiracy to commit wire fraud. Henning and Tuggle were likewise accused of aggravated identity theft, and Henning, Tuggle, and Juan Landon, a fourth defendant, were accused of having methamphetamine, heroin, and cocaine with the intention to distribute. The defendants applied for more than 108 separate claims for PUB benefits, with a total of $1,615,000.

Lombardo faces a maximum imprisonment term of 10 years for the HIPAA violation in addition to a fine. His conspiracy to commit wire fraud case carries a max jail term of 20 years plus penalty, and Lombardo is to serve a minimum jail term of 2 years in association with the aggravated identity theft charges, after serving the other sentences.

Pandemic unemployment insurance programs are a crucial component of our safety net created to help industrious citizens who are experiencing an unparalleled economic downturn, stated Acting U.S. Attorney Randy Grossman. Our office and our law enforcement partners will look into and prosecute people who try to steal from these services created to support deserving individuals.

CaptureRx Facing Multiple Class Action Lawsuits Because of the Ransomware Attack Affecting 2.4 Million Patients

CaptureRx, the healthcare administrative services provider is confronting multiple class-action lawsuits for not being able to secure patient information, which was acquired by unauthorized people in a February 2021 ransomware attack.

NEC Networks, dba CaptureRx, gives IT solutions to hospitals to help them handle their 340B drug discount services. By providing those solutions, CaptureRx receives the protected health information (PHI) of patients.

About February 6, 2021, CaptureRx discovered suspicious activity in areas of its IT systems, like file encryption. The investigation affirmed that files comprising the PHI of 2,400,000 or higher patients were exposed in the attack.

CaptureRx stated in its breach notice that all policies and procedures are being evaluated and improved and more employees training is being carried out to minimize the probability of identical future occurrence. Impacted persons were instructed to stay cautious against occurrences of identity theft and scam, to examine account statements and explanation of benefits forms, and to keep track of free credit reports for suspicious transactions and to identify errors.

On July 21, 2021, plaintiff Michelle Rodgers submitted a legal case in the U.S. District Court for the Western District of Texas. Rodgers is ARcare’s patient in Augusta, AR, whose personal data and PHI were breached in the attack.

Rodgers, and the class members, assert that CaptureRx was at fault for not implementing and maintaining reasonable safety measures and had not conformed with industry-standard data security procedures to make sure the privacy of their PHI, violating federal and state regulations. The plaintiff and class members want monetary damages and injunctive and declaratory relief.

The same lawsuit had earlier been filed in the District Court for the Western District of Texas naming Mark Vereen as plaintiff, which identifies NEC Networks, CaptureRx, and Midtown Health Center in Los Angeles as defendants. The lawsuit claims the defendants were responsible for not taking the required steps to avoid a data breach, the risk of which ought to have been known. The plaintiffs in that legal action claim they are in danger harm that might be long-term and serious,” which may continue for many years, and that the defendants violated the Federal Trade Commission regulations and HIPAA. The lawsuit foresees more than $5 million in losses.

A Missouri resident filed a legal case in federal court in Kansas City on behalf of all residents in Missouri affected by the breach, seeking a minimum of $5 million in damages.

Ohio Personal Privacy Act Launched to Increase Privacy Protections for Ohioans

A detailed new privacy framework was launched in Ohio to give better protection to the privacy of Ohio residents. The Ohio Personal Privacy Act lines up tightly with lately introduced laws in Virginia (CDPA) and provides Ohio locals a number of new rights relating to the personal information collected, saved, maintained, and sent by businesses.

Much like Virginia’s CDPA, the Ohio Personal Privacy Act has a limited definition of consumers and doesn’t include persons acting in an enterprise capacity or work context. Personal information protected by the Ohio Personal Privacy Act is categorized as any data that pertains to an identified or identifiable consumer the a business processes for a commercial reason.

The Ohio Personal Privacy Act is merely applicable to companies that do business in Ohio that satisfy at least one of these specifications:

  • Generates yearly gross income above $25 million
  • Derives over 50% of gross income from the selling of personal information and processes or manages the personal information of at least 25,000 Ohio customers
  • Manages or processes the personal information of 100,000 or more residents of Ohio in a calendar year

There is a lengthy list of exemptions, such as:

  • Covered entities and business associates governed by and compliant with the HIPAA
  • PHI under HIPAA
  • Activities controlled by the Fair Credit Reporting Act
  • Financial organizations and data governed by the Gramm-Leach-Bliley Act, if compliant
  • Data governed by the Children’s Online Privacy Protection Act
  • Higher educational organizations
  • Business-to-business transactions
  • Insurance companies and independent insurance providers

Consumers should be advised regarding how their personal information will be gathered and used. Consumers have access rights to the personal files stored by a company and have that data erased. Consumers should be advised regarding data collection and processing actions through a clear and obvious notice and are allowed to opt-out of the selling of their personal information. Businesses aren’t allowed to discriminate against any person dependent on the exercise of their rights as governed by the Ohio Personal Privacy Act.

The Ohio Attorney General has the capacity to impose compliance with the Ohio Personal Privacy Act and take legal actions versus any covered entity when there is sensible cause to think a covered entity has broken the Act. The state Attorney General can get a declaratory judgment, civil penalties, and injunctive relief, with three times the damages relating to being aware of violations.

Before taking any action, a 30-day period will be given to enable the correction of all issues. Businesses could additionally use an affirmative defense coming from the enforcement action by the OAG or a legal action submitted by a consumer, when the business generates, keeps, and complies with a written privacy plan that agrees with the National Institute of Standards and Technology (NIST) privacy framework.

Consumers who think that their rights under the Ohio Personal Privacy Act were violated aren’t allowed to file lawsuits against a business due to any violation.

Class Action Lawsuit Filed Against Radiology Specialists Due to PACS Data Breach

A radiology firm and its vendor are facing a class-action lawsuit filed with the New York Southern District Court. Allegedly, the radiology professionals have failed to protect their Picture Archiving Communication System (PACS) that has protected health information (PHI) and medical photos of patients.

In 2019, security researchers discovered vulnerabilities in the PACS utilized by clinics, hospitals, and radiology firms for sharing medical photos and information. The researchers analyzed over 2,300 medical photos, which were discovered to hold sensitive patient information. In December 2019, the researchers sent a notification about the exposed information to the affected companies including Northeast Radiology and Alliance Health, its vendor.

The two radiology companies utilized medical imaging archiving software programs that allowed unauthorized persons to obtain access to medical pictures and PHI. The researchers discovered 61 million exposed X-rays, MRIs and CT scans, which contained PHI such as names, medical record numbers, dates of service, test results, and, in certain cases, Social Security numbers.

In March 2020, Northeast Radiology submitted a data breach report associated with PACS to the Department of Health and Human Services Office for Civil Rights as impacting 298,532 persons. According to the breach report, Alliance Health had compromised medical photos and that hackers accessed its PACS from April 2019 to January 2020.

Two patients filed a lawsuit against Northeast Radiology and Alliance HealthCare for allegedly exposing patient information for over 9 months. Based on the legal action, the two companies were informed regarding the exposed information by the security researchers yet did not do anything to protect their PACS.

The lawsuit claims the defendants as negligent and committed a violation of the Health Insurance Portability and Accountability Act (HIPAA) and state data protection regulations by being careless in managing patient information and medical photos, and additionally breached the Federal Trade Commission (FTC) prerequisites. Because of the violations, the plaintiffs and class members were claimed to have suffered a direct injury and placed at a greater risk of identity theft and fraud. Besides the exposure of their PHI, the lawsuit claims inadequate notification was given to victims of the security breach.

The patients want compensatory and consequential damages as well as injunctive relief, such as necessitating the firms to enhance their data security and monitoring and subjecting to system audits in the future to make sure they are secured. The lawsuit likewise wants to provide all class members credit monitoring and identity theft protection services.

At the end of June, the U.S. Department of Health and Human Services cautioned 130 hospitals and health systems regarding the vulnerabilities in PACS that breached sensitive healthcare information and advised them to take immediate action to make certain their PACS are properly set up and patient information are protected. The PACS utilized by those hospitals held 275 million medical photos, including the PHI of over 2 million individuals.

Ex-Employee of Cedar Rapids Hospital Who Accessed Ex-Boyfriend’s PHI Gets 5-Year Probation

An ex-employee of Cedar Rapids Hospital is sentenced to 5 years’ probation for inappropriately accessing and sharing the protected health information (PHI) of her former boyfriend.

41-year-old Jennifer Lynne Bacor of Las Vegas, NV, was working at a Cedar Rapids hospital as a patient care technician. Her job allowed her to access systems that contain the individually identifiable data of patients. Although she was permitted to access that data, she was just allowed to access the data of patients so as to carry out her work responsibilities.

Bacor’s ex-boyfriend went to the hospital several times in 2017 to get treatment. Using her login credentials, Bacor accessed his health records created from October 2013 to September 2017 on a number of times from April to October 2017, even when there was no valid work reason to do so.

Accessing the PHI of a person when there’s no valid work reason to do so violates the Health Insurance Portability and Accountability Act (HIPAA), and criminal charges may be filed for such violation.

Bacor got a picture of a medical image that revealed injuries suffered by her former boyfriend and mailed the picture to a third party. Subsequently, the third party shared the picture with other people through Facebook Messenger, putting taunting words and emojis along with the picture. Bacor was likewise determined to have mentioned in social media messages to another individual that she was trying to get principal custody of two kids that she and her former boyfriend had.

After finding out about the privacy breach, the former boyfriend went to the hospital on October 4, 2017 and submitted a complaint alleging Bacor got access to his health records with no permission and got the picture from the hospital. The hospital made an investigation of the privacy violation and affirmed that Bacor got access to his health records 10 times. Bacor was at first suspended, subsequently, she was dismissed for her HIPAA violation.

In August 2020, Bacor confessed to the police officers that she just broke the federal privacy laws so as to defend her kids. Bacor sought a plea agreement and admitted to committing to one count of wrongfully acquiring individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams stated that Bacor weaponized her former boyfriend’s private health information by sharing it with others and passed her sentence of 5 years’ probation and penalized her $1,000. Bacor was likewise forbidden from being employed in any work that allows her to get access to the private health records of other people.

Data Breaches at NorthWest Congenital Heart Care and Superior HealthPlan

NorthWest Congenital Heart Care based in Washington is notifying 1,166 patients concerning the potential breach of some of their protected health information (PHI) because of unauthorized access. On May 7, 2021, the office of a single NWCHC doctor was broken into by an unauthorized third party. An external hard drive utilized for backing up data was stolen. The provider reported the theft to law enforcement, however, the hard drive hasn’t been retrieved.

An analysis of the data backups showed they included patient data like names, birth dates, ages, medical and treatment details, dates and location of service, doctor names, services needed, procedures done, diagnosis codes, medical record numbers, diagnosis and treatment information, and, for one person, medical insurance details.

To minimize the risk of upcoming data breaches, NorthWest Congenital Heart Care is going to stop using external hard drives for backing up data.

Accellion Data Breach Affects Superior HealthPlan Members

2,781 members of Superior HealthPlan in Texas received notification about the compromise of a few of their PHI in the cyberattack on Accellion. The breach impacted the Accellion file transfer program, which was employed to send very big files that can’t be sent through email.

The attackers got access to the system from January 7 to January 20, 2021. On April 2, 2021, Superior HealthPlan found out the attackers could access and acquire files that contain names, addresses, birth dates, insurance ID numbers, and medical information including health condition and treatment details.

All impacted persons were provided free credit monitoring and identity theft protection services for one year. Superior HealthPlan is no longer using Accellion’s services. All information has been taken from Accellion’s systems, and file transfer procedures and tools are being evaluated and updated to avoid the same breaches later on.

Approved Colorado Privacy Act Only Awaits State Governor’s Signature

Colorado has joined up with California and Virginia in approving a complete data privacy legislation to protect state citizens. It required a number of amendments before the Colorado Privacy Act was eventually approved unanimously by the Colorado state Senate on June 8, 2021 and currently waits for state governor Jared Polis’ signature.

The Colorado Privacy Act is applicable to all data controllers that do business in Colorado and manage or process the personal information of at least 100,000 Colorado resident customers in a calendar year or get income or obtain a price cut on goods or services from the selling of personal information and process or manage the personal information of at least 25,000 Colorado resident customers.

Exclusions include protected health information (PHI) gathered, processed, or filed by HIPAA-covered entities and their business associates, and any personal information gathered, processed, sold, or shared pursuant to the Gramm-Leach-Bliley Act (GLBA), information managed by the Children’s Online Privacy Protection Act of 1998 (COPPA), and person[s] operating in a business or work context, as a job candidate, or as a beneficiary of somebody working in an employment setting.

The Colorado Privacy Act offers Colorado resident customers five rights with regards to their personal information.

  1. The right not to be included in the processing of personal information for targeted marketing purposes, the selling of their personal information, and programmed profiling in the advancement of decisions that create legal or similarly important results.
  2. The right to gain access to their personal information kept by a data controller.
  3. The right to correction of their personal information in case errors are discovered.
  4. The right to have their personal information removed.
  5. The right to get their information in a mobile and ready-to-use file format.

All entities under the Colorado Privacy Act have the following obligations when they gather and process information.

  • Transparency – Consumers should be informed concerning the rationale for collecting and processing their personal information. When personal information is sold or utilized for targeted marketing, consumers should be well informed. There shouldn’t be any need for consumers to make a new account to avail themselves of one of their rights, nor pay a higher cost or get lower accessibility when availing a consumer right.
  • Purpose of collecting information – Consumers should be advised regarding the particular reasons for which their personal data is being obtained and processed.
  • Data minimization – The personal data obtained and processed should be restricted to what is reasonably required to accomplish the objective for collecting and processing information.
  • Secondary data uses – This should be averted when they are not compatible with the objective for collecting data and the authorization given by consumers.
  • Data security – Data controllers should make sure of the security of personal data to avert unauthorized access.
  • Unlawful discrimination – Collected and processed data should not break federal anti-discrimination legislation.
  • Sensitive data – Sensitive data including information associated to religious beliefs, ethnic origin, sexual orientation, citizenship status, mental or physical wellness, genetic/biometric information, and the personal information of minors – may only be obtained and processed when consumers give their authorization via an opt-in process.
  • Contracts with processors – A data controller needs to sign an agreement with a data processor, and the contract expressing the processor’s duties as per the Colorado Privacy Act.
  • Data protection assessments – A data protection evaluation should be done before any processing activities that have an increased threat of harm to customers.

The Colorado Privacy Act will be effective on July 1, 2023. On July 1, 2024, a year after the effective date, consumers can opt-out of the processing of their personal information for targeted marketing or the selling of their information, through a user-chosen universal opt-out process.

In case of violation of any of the terms of the Colorado Privacy Act, the violation is going to be regarded as a deceitful trade practice. The state Attorney General and district attorneys are allowed to act against entities that committed violations.

Texas Legislature Approves Bill Requiring the State AG to Set up Data Breach ‘Wall of Shame’

The Texas Legislature copied what California and Maine did in passing a bill that calls for the Texas Attorney General to post notifications on the state Attorney General’s public-facing web portal concerning breaches of personal data that impact state residents.

House Bill 3746, an amendment of the Texas Business and Commerce Code § 521.053, received unanimous approval. It requires the Texas Attorney General to post incidents of data breaches that have impacted at least 250 Texas residents. The webpage must be updated with any breach notification received within 30 days.

When a company is posted on the web portal, the listing should remain there for one year. The listing can be deleted if the person or company hasn’t experienced any more data breaches impacting at least 250 Texas residents throughout that one-year period.

Texas legislation demands that notices of system security breaches must be given to the state Attorney General within 60 days of discovering the breach. The breach notifications should state a complete description of the nature of the incident, how it happened, and whether there was sensitive data obtained because of the breach. The notices ought to state the number of persons known to have been impacted by the breach during the issuance of the breach notification to the State Attorney General. It is also necessary to include in the notifications the details of the steps taken concerning the breach, potential actions that plan to be undertaken in connection with the breach, and if law enforcement is involved in the breach investigation.

The legislation updates current data breach notification standards to additionally necessitate the Attorney General to be advised of the number of Texas residents that were given breach notification through mail or other direct means of communication during the time of issuance of the notification to the Texas Attorney General.

The legislation is now pending the signature of Texas Governor Greg Abbott. When it is signed, the effective date will begin September 1, 2021.

Clinical Laboratory Resolves HIPAA Security Rule Violations with OCR By Paying $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) reported that it has reached a settlement with Peachstate Health Management, LLC, also called AEON Clinical Laboratories resulting from multiple HIPAA Security Rule violations.

Peachstate is a CLIA-approved laboratory that offers a variety of services which include clinical and genetic testing services by means of AEON Global Health Corporation (AGHC), its publicly traded parent company.

OCR began a compliance investigation on August 31, 2016 after the U.S. Department of Veterans Affairs (VA) reported a breach of unsecured protected health information (PHI) that involve its business associates, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had partnered with AHC to take care of the VA’s Telehealth Services Program. The goal of the OCR investigation was to evaluate if the breach was due to the failure to adhere to the HIPAA Privacy and Security Rules.

Throughout the course of the breach investigation, OCR found out that on January 27, 2016, AHC had entered into a reverse merger with Peachstate and had acquired ownership of Peachstate. OCR subsequently carried out a compliance audit of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In that investigation, OCR determined several likely HIPAA Security Rule violations.

Peachstate was found not to have done a correct and comprehensive evaluation to find risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was unable to lessen risks and vulnerabilities to a good and proper level by employing correct security steps, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).

There were no software, hardware, or procedural mechanisms put in place to record and assess activity in information systems that contain or utilize ePHI, which violates 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been executed to document actions, activities, and evaluations mandated by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate decided to settle the case and pay a $25,000 penalty and will execute a thorough corrective action plan to address all facets of noncompliance discovered by OCR in the course of the investigation. Peachstate will be under 3 years of close monitoring by OCR to make sure of compliance.

Clinical laboratories, just like other covered health care providers, should adhere to the HIPAA Security Rule. The inability to implement fundamental Security Rule requirements makes HIPAA regulated entities appealing targets for malicious activity, and puts risks patients’ ePHI. This settlement demonstrates OCR’s dedication to making sure that entities comply with rules that safeguard the privacy and security of protected health information.

5 U.S. Bills Approved to Enhance Cyber Defenses of SLTT Governments and Critical Infrastructure Entities

In the aftermath of the ransomware attack on Colonial Pipeline, SolarWinds Supply chain attack, and the cybersecurity executive order of President Biden, the U.S. House Committee on Homeland Security has approved five bipartisan bills that strive to deal with cybersecurity and enhance the protection of critical infrastructure entities and state, local, tribal, and territorial (SLTT) governments.

The cyberattack on Colonial Pipeline compelled the firm to close its 5,500-mile fuel pipeline that provides 45% of the fuel needed in the East Coast. So as to accelerate recovery and lessen disruption, CEO Joseph Blount of Colonial Pipeline approved the ransom payment of $4.4 million to the DarkSide ransomware gang; but, despite paying the ransom, the fuel pipeline continued to be closed for 5 days, resulting in serious disruption to energy supplies.

These cyberattacks have underlined key vulnerabilities in cybersecurity defenses that must be dealt with to strengthen national security.

This week, the five bipartisan cybersecurity bills approved are the following:

1. The Pipeline Security Act (H.R. 3243), presented by Congressman Emanuel Cleaver (D-MO), was introduced two years ago however was unable to obtain traction. The primary objective of the reintroduced bill is to set out the function of the Transportation Safety Administration (TSA) in protecting the country’s natural gas and oil infrastructure to shield pipeline systems against threats including cyberattacks, and terrorist attacks.

2. The State and Local Cybersecurity Improvement Act (H.R. 3138), presented by Congresswoman Yvette D. Clarke (D-NY), allows the making of a new $500 million grant program to give finances to SLTT governments to assist them in securing their systems from ransomware and other forms of cyberattacks.

3. The Cybersecurity Vulnerability Remediation Act (H.R. 2980), presented by Congresswoman Sheila Jackson Lee (D-TX), provides the DHS’ Cybersecurity and Infrastructure Security (CISA) Agency the power to help critical infrastructure owners and operators in creating mitigation tactics to safeguard against identified, critical vulnerabilities.

4. The CISA Cyber Exercise Act (H.R. 3223), presented by Congresswoman Elissa Slotkin (D-MI), establishes a National Cyber Exercise program under CISA that is going to make sure regular testing of readiness and strength to cyberattacks on critical infrastructure.

5. The Domains Critical to Homeland Security Act (H.R. 3264), presented by Ranking Member John Katko (R-NY), provides the DHS the power to perform research and development on supply chain risks for critical domains of the U.S. economy, and give the findings to Congress.

There were two more bills presented that deal with non-cybersecurity problems – the DHS Blue Campaign Enhancement Act (H.R. 2795) and the DHS Medical Countermeasures Act” (H.R. 3263). Both reinforce DHS’s human trafficking reduction initiatives and DHS’s medical countermeasures in the event of biological, chemical, radiological, nuclear, or explosive attacks, pandemics, and disease outbreaks.