Class Action Lawsuit Against EHR Vendor Over 320,000-Record Data Breach

QRS, a healthcare technology services company and EHR vendor based in Tennessee, is facing a class-action lawsuit because of a cyberattack in August 2021 that resulted in the exposure and potential theft of the protected health information (PHI) of about 320,000 patients.

The data breach investigation confirmed that a hacker had acquired access to one dedicated patient portal server between August 23 and August 26, 2021, and read and likely took files that contain patients’ PHI. Sensitive information kept on the server contained patients’ names, birth dates, addresses, usernames, medical data, and Social Security numbers. QRS started mailing notification letters to affected people in late October and provided identity theft protection services to those who had their Social Security number compromised.

Matthew Tincher, a resident in Frankfurt, KY, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS on January 3, 2022. Allegedly, QRS was at fault for not being able to reasonably secure, keep track of, and preserve the PHI and personally identifiable information (PII) saved on its patient website.

Due to those failures, the lawsuit claims Tincher and class members

  • have sustained actual, concrete, and impending injury, which include present injury and damages associated with identity theft, loss or diminished value of their PHI and PII
  • have suffered out-of-pocket expenditures from trying to remedy the breach of their sensitive information
  • had to spend time taking care of the outcomes of the unauthorized data access
  • they additionally face a continued and greater risk to their PHI and PII, which were unencrypted and stay available to unauthorized parties to access and abuse.

The lawsuit additionally takes issue with the speed at which QRS released breach notification letters, which were given about 2 months after discovering the breach. In those two months, the plaintiffs and class embers were not aware they were placed at substantial risk of identity theft, fraudulence, and personal, financial, and social harm.

The lawsuit states QRS had an obligation to make sure the PHI and PII in its patient website were properly protected, and the breach of its responsibilities to secure that data amounts to negligence and/or recklessness, which is a violation of federal and state legislation. The lawsuit alleges QRS signed business associate agreements (BAAs) with its healthcare provider clients, therefore was informed or should have been advised of its duties to ensure PHI was secured against cyberattacks. The lawsuit likewise lists cybersecurity measures proposed by the Cybersecurity and Infrastructure Security Agency (CISA) which should be enforced in that regard and states that QRS should have known the substantial risk of being attacked because of the large number of healthcare data breaches that were reported recently.

Lawsuits are usually filed versus healthcare providers because of data breaches that exposed sensitive information. Whether the legal action succeeds usually is determined by whether the plaintiffs could show they have endured an actual injury as a direct result of the data breach. Tincher says to have been informed regarding the breach on October 22, 2021, and within 3 days was the victim of real identity theft, and that it is very likely than not that his sensitive details were exfiltrated from the QRS patient portal during the data breach.

The lawsuit claims the total damages sustained by the plaintiff and class members go over the minimum $5 million jurisdictional sum mandated by the Court. The Court has control over the defendant since QRS operates and is integrated with the district. The plaintiff and class members desire unspecified damages, a jury trial, and injunctive and equitable relief.

HIPAA Violation Penalties in 2021

Two HIPAA enforcement actions in 2021 were not because of HIPAA Right of Acess violations.

1. Excellus Health Plan paid $5,100,000 as settlement

Excellus Health Plan based in Rochester, New York is a member of the Blue Cross Blue Shield Association. It was investigated because of a potential issue in HIPAA compliance after a 2015 data breach involving 9,358,891 records was reported. That data breach was one of 3 mega data breaches that health plans reported that year. Anthem Inc and Premera Blue Cross reported other two mega data breaches. The two had resolved their cases by paying big penalties.

Excellus found out about the breach in August 2015. Investigation of the breach confirmed that hackers got access to its networks from December 23, 2013 to May 11, 2015. Excellus reported the breach to OCR on September 9, 2015. The hackers installed malware enabling them to exfiltrate the information of about 7 million Excellus Health Plan members and roughly 2.5 million Lifetime Healthcare members. The data included names, contact details, birth dates, Social Security numbers, claims information, financial account details, health plan ID numbers, and clinical treatment data.

OCR’s investigation revealed several HIPAA violations, which included

  • the failure to perform a correct and complete company-wide risk analysis
  • the failure to minimize ePHI risks and vulnerabilities to an acceptable and proper level
  • an insufficiency of technical guidelines and procedures to restrict access to data and software programs to authorized individuals

Excellus decided to resolve the case and compensated a $5,100,000 fine and agreed to employ a complete Corrective Action Plan to deal with all sections of non-compliance.

2. Peachstate Health Management LLC, dba AEON Clinical Laboratories paid $25,000 as settlement

The enforcement action versus Peachstate Health Management is well known since this was the very first OCR investigation that ended in a financial penalty for HIPAA violations discovered in a firm that wasn’t the first issue of the investigation.

OCR started an investigation following the receipt of a report from the Department of Veteran Affairs in 2015 regarding a data breach of Authentidate Holding Corporation (AHC), its business associate. AHC handled the VA’s Telehealth Services Program and experienced a data breach. When investigating, OCR found out that on January 27, 2016, AHC had gotten into a reverse merger with Peachstate Health Management, which resulted in Peachstate being obtained by AHC. Peachstate is a CLIA-accredited lab that offers clinical and genetic testing services by means of its publicly traded parent firm, AEON Global Health Corporation (AGHC).

OCR subsequently started an investigation of Peachstate to evaluate its HIPAA Privacy and Security Rule compliance and discovered several HIPAA Rules violations. OCR discovered several HIPAA Security Rule problems, which include risk assessment, risk management, audit control problems, along with the failure to have HIPAA Security Rule policies and procedures documentation. AEON resolved the case by paying $25,000 and agreeing to a corrective action plan to mend its HIPAA violations.

2021 HIPAA Violation Cases and Penalties

In 2020, the Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 19 HIPAA violation cases. There were more financial penalties issued in 2020 compared to previous years. The OCR received $13,554,900 as payment to resolve HIPAA violation cases. In 2021, OCR announced 14 enforcement actions, which shows a small decrease in the number of HIPAA violation settlements and penalties. In spite of this, the number of HIPAA fines in 2021 is the second-highest of any year ever since OCR began enforcing HIPAA Rules compliance.

Although the number of penalties remains high in 2021, there was a big decrease in fine amounts which was $5,982,150. $5,100,000 of that amount was from only one enforcement action. The majority of the penalties involved HIPAA Right of Access violations, which were investigated due to complaints submitted by patients who did not receive prompt access to their health care records. They were not penalties for multiple HIPAA Rules violations that affected big numbers of people. The $5,100,000 penalty paid by Excellus Health Plan was very big because there were several HIPAA Rules violations, covering several years, that resulted in a breach affecting the ePHI of 9,358,891 people.

Fines for HIPAA Right of Access Noncompliance

At the end of 2019, OCR introduced a new HIPAA enforcement initiative for non-compliance with the Right of Access standard of the HIPAA Privacy Rule. From then on, OCR has been strongly enforcing HIPAA Right of Access compliance. Since December 2021, OCR has issued 25 penalties for violations of the HIPAA Right of Access amounting to $1,564,650. The penalties vary from $3,500 to $200,000. 24 settlements and one civil monetary penalty, with a lot of the penalties issued on small healthcare companies.

The HIPAA Right of Access standard (45 C.F.R. § 164.524(a)) offers patients the right to access, check, and get a copy of their own protected health information (PHI) in a specified file set. Upon receipt of a request from a person or their own representative, the documents should be given in 30 days. A fair, cost-based price can be billed for giving a copy of the requested documents. A person’s request for access to his/her health records could be refused, however just in very few cases.

OCR checks complaints from people who assert they were refused access to their medical records, did not get records in 30 days or were billed high amounts for copies of their documents. The financial penalties enforced by OCR in 2020 for violations of the HIPAA Right of Access varied from $15,000 to $160,000 and were a result of refusals to give copies of documents or long delays. In numerous instances, records were just presented after OCR’s intervention.

2021 HIPAA Right of Access Enforcement Actions

1. Banner Health paid $200,000 as settlement
2. Rainrock Treatment Center LLC (dba monte Nido Rainrock) paid $160,000 as settlement
3. Dr. Robert Glaser paid $100,000 as Civil Monetary Penalty
4. Children’s Hospital & Medical Center paid $80,000 as settlement
5. Renown Health paid $75,000 as settlement
6. Sharpe Healthcare paid $70,000 as settlement
7. Arbour Hospital paid $65,000 as settlement
8. Advanced Spine & Pain Management paid $32,150 as settlement
9. Denver Retina Center paid $30,000 as settlement
10. Village Plastic Surgery paid $30,000 as settlement
11. Wake Health Medical Group paid $10,000 as settlement

Other HIPAA Violation Penalties in 2021

Only two HIPAA enforcement actions in 2021 were not caused by HIPAA Right of Acess violations.

1. Excellus Health Plan paid $5,100,000 as settlement
2. AEON Clinical Laboratories (Peachstate) paid $25,000 as settlement

Summary of HIPAA Enforcement Activities by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the primary HIPAA compliance enforcer; nevertheless, state Attorneys General likewise perform a part in implementing Health Insurance Portability and Accountability Act Rules.

The Health Information Technology for Clinical and Economic Health (HITECH) Act granted state attorneys general the power to take civil actions for state locals who were affected by HIPAA Privacy and Security Rules violations and could get damages for the sake of state residents.

The first to exercise this right is the Connecticut Attorney General in 2010 versus Health Net Inc. with regard to the missing unencrypted hard drive that contains the electronic protected health information (ePHI) of 1.5 million persons and deferred breach notices. The case was resolved for $250,000. The Vermont Attorney General next filed a suit having the same action versus Health Net in 2011 that was resolved for $55,000, and Indiana took a civil action versus Wellpoint Inc. in 2011, which was resolved for $100,000.

State Attorney HIPAA cases were fairly unusual incidences. There were just 11 settlements with covered entities and business associates that take care of HIPAA violations from 2010 to 2015. There were 5 HIPAA enforcement cases by state attorneys general in 2017 and 12 cases in 2018 resulting in financial penalties for HIPAA Rules violations.

From 2019 to 2020, there were 5 cases resulting in sizeable penalties. Four of the five cases were multistate actions versus HIPAA-covered entities and business associates, meaning a number of state attorneys general took part in the enforcement actions. These multistate actions permit state attorneys general to gather their resources and look into likely violations of HIPAA and state regulations more effectively.

If state Attorneys General take civil actions versus covered entities or business associates, they are distinct from any OCR actions.

A number of data breaches have led to settlements at the state and federal levels. University of Rochester Medical Center, Community Health Systems/CHSPSC, Premera Blue Cross, Anthem Inc., Aetna, Cottage Health System, and Medical Informatics Engineering have all resolved cases with OCR and state attorneys general to take care of likely HIPAA violations.

In a lot of the state AG enforcement actions listed below, violations of federal (HIPAA) and state regulations were resolved by financial penalties. Through the years, a number of cases had violated HIPAA Regulations, however, the decision was made to take action against violations of comparable terms in state regulations.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was especially busy in HIPAA enforcement in 2021. It was the sole state to start its very own investigations and give financial penalties to settle HIPAA violations in 2021. New Jersey likewise took part in a joint analysis of the information breach at American Medical Collection Agency (AMCA). It was one of the biggest breaches of healthcare information ever. The AMCA HIPAA case resulted in the imposition of a $21 million financial penalty; nevertheless, because of the big costs sustained from the breach, AMCA submitted bankruptcy protection. Because of the financial status of the firm, the financial penalty was revoked and will just be paid when AMCA fails on the conditions of the settlement deal.

1. New Jersey – Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) paid $425,000 financial penalty in relation to a phishing attack and a data breach affecting 105,000 individuals.
2. New Jersey – Command Marketing Innovations, LLC and Strategic Content Imaging LLC paid $130,000 (Plus $65,000 suspended) in relation to Printing and mismailing incident affecting 55,715 individuals
3. New Jersey – Diamond Institute for Infertility and Menopause paid $495,000 in relation to the Hacking incident and data breach affecting 14,663 individuals.
4. Multi-state (41 state attorneys general) – American Medical Collection Agency – settlement amount of $21 million (suspended) in relation to hacking incident and data breach affecting 21 million

HIPAA Enforcement by State Attorneys General in 2020

1. Multistate (28 states) – Community Health Systems / CHSPSC LLC – paid $5,000,000 in relation to Hacking by a Chinese APT group affecting 6.1 million people.
2. Multistate (43 states) – Anthem Inc paid $39.5 million in relation to Phishing attack and a major data breach affecting 78.8 million people.

3. California – Anthem Inc paid $8.7 million in relation to a Phishing attack and a major data breach affecting 78.8 million people.

HIPAA Enforcement by State Attorneys General in 2019

1. Multistate (30 states) – Premera Blue Cross paid $10,000,000 in relation to the hacking incident and major data breach affecting 10.4 million.
2. Multistate (16 states) – Medical Informatics Engineering paid $900,000 in relation to Breach of NoMoreClipboard data affecting 3.5 million
3. California – Aetna paid $935,000 in relation to 2 mailings that exposed PHI (Afib, HIV) of 1,991 individuals

HIPAA Enforcement by State Attorneys General in 2018

1. Massachusetts – McLean Hospital paid $75,000 in relation to the loss of backup tapes affecting 1,500 people
2. New Jersey – EmblemHealth paid $100,000 in relation to a Mailing error that exposed SSNs impacting 6,443 (81,000) people.
3. New Jersey – Best Transcription Medical paid $200,000 for Exposure of ePHI in the Internet affecting 1,650 people.
4. Multistate (CT, NJ, DC) – Aetna paid $640170.59 in relation to two mailings that exposed PHI (Afib, HIV) and Impermissible disclosure of sensitive health information of 13,160 persons
5. Massachusetts – UMass Memorial Medical Group / UMass Memorial Medical Center paid $230,000 for Multiple data breaches affecting 15,000 individuals.
6. New York – Arc of Erie County paid $200,000 in relation to breach of ePHI on the Internet affecting 3,751 individuals
7. New Jersey – Virtua Medical Group paid $417,816 in relation to a breach of ePHI on the internet affecting 1,654 individuals
8. New York – EmblemHealth paid $575,000 in relation to Mailing error exposed SSNs affecting 81,122 individuals
9. New York – Aetna paid $1,150,000 in relation to 2 mailings that exposed PHI (Afib, HIV) affecting 12,000 individuals

HIPAA Enforcement by State Attorneys General in 2017

1. California – Cottage Health System paid $2,000,000 in relation to the exposure of PHI online affecting over 54,000 individuals
2. Massachusetts – Multi-State Billing Services paid $100,000 in relation to the theft of unencrypted laptop computer affecting 2,600 individuals
3. New Jersey – Horizon Healthcare Services Inc paid $1,100,000 in relation to the theft of 2 unencrypted laptop computers affecting 3.7 million individuals
4. Vermont – SAManage USA, Inc. paid $264,000 in relation to the exposure of PHI on the Internet affecting 660 individuals
5. New York – CoPilot Provider Support Services, Inc paid $130,000 in relation to delayed breach notification affecting 221,178 individuals

HIPAA Enforcement by State Attorneys General in 2015

1. New York – University of Rochester Medical Center paid $15,000 in relation to a nurse that disclosed its list of patients to a new employer, which affected 3,403 individuals
2. Connecticut – Hartford Hospital/ EMC Corporation paid $90,000 in relation to the theft of an unencrypted laptop with PHI affecting 8,883 individuals

HIPAA Enforcement by State Attorneys General in 2014

1. Massachusetts – Women & Infants Hospital of Rhode Island paid $150,000 in relation to the loss of backup tapes with PHI affecting 12,000 individuals
2. Massachusetts – Boston Children’s Hospital paid $40,000 in relation to the loss of a laptop with PHI affecting 2,159 individuals
3. Massachusetts – Beth Israel Deaconess Medical Center paid $100,000 in relation to the loss of laptop with PHI affecting 3,796 individuals

HIPAA Enforcement by State Attorneys General in 2013

1. Massachusetts – Goldthwait Associates paid $140,000 in relation to the mishandling of PHI affecting 67,000 individuals

HIPAA Enforcement by State Attorneys General in 2012

2. Minnesota – Accretive Health paid $2,500,000 in relation to the mishandling of PHI affecting 24,000 individuals
3. Massachusetts – South Shore Hospital paid $750,000 in relation to the loss of backup tapes with PHI affecting 800,000

HIPAA Enforcement by State Attorneys General in 2011

1. Vermont – Health Net Inc. paid $55,000 in relation to the loss of unencrypted hard drive/overdue breach notifications affecting 1,500,000 individuals
2. Indiana – WellPoint Inc. paid $100,000 to resolve its violation of breach notification requirements affecting 32,000 individuals.

HIPAA Enforcement by State Attorneys General in 2010

1. Connecticut – Health Net Inc. paid $250,000 in relation to the loss of an unencrypted hard drive affecting 1,500,000 individuals

Accountancy Company Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The certified public accounting company in Chicago, IN, Bansley & Kiener LLP, is looking at a class-action lawsuit in relation to a data breach that was reported to federal regulators this December 2021.

The breach happened in the second half of 2020. The investigation suggested that hackers gained access to its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener found out about the breach on December 10, 2020, when attackers used ransomware to encrypt files. Bansley & Kiener revealed in its breach notification letters that on May 24, 2021, the hackers had exfiltrated information from its systems prior to encrypting data files.

Bansley & Kiener manages health insurance, payroll, and pension plans for its customers. In total, the sensitive information of 274,000 people was breached, including names, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, tax IDs, military IDs, financial account data, payment card numbers, medical data, and complaint reports.

Although the attack was identified in December 2020, Bansley & Kiener issued the notification letters only on December 2021 to affected persons and notified the state attorneys general and the HHS’ Office for Civil Rights about the breach, 6 months after the confirmation of the theft of sensitive data.

Mason Lietz & Klinger LLP filed the lawsuit in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. According to the lawsuit, Bansley & Kiener was unable to protect the sensitive information of its clients and didn’t provide timely, sufficient, and accurate notice of the data breach to persons whose sensitive information was stolen.

Based on the lawsuit, Bansley & Kiener without need deferred the sending of notifications regarding the data breach, even if the people whose data was stolen were placed at substantial danger of identity theft and various other types of personal, social, and financial ruin. When the notifications were provided, they did not completely explain the nature of the breach. They did not state that this was a ransomware attack and called the incident as an unauthorized person acquiring access to its network that led to the file encryption.

The legal action additionally takes up the data breach response. After knowing about the attack, files were restored from backups and regular business operations were started again, and it was solely when it was found out that information was exfiltrated from its systems, 5 months following the attack, that cybersecurity specialists were hired to investigate the breach.

The lawsuit claims Bansley & Kiener experienced a data breach because of “negligent and/or careless acts and omissions” associated with the securing of sensitive data, and did not keep track of its systems for security issues. The lawsuit states victims of the breach have sustained out-of-pocket expenditures associated with the prevention, discovery, and resolution of identity theft and/or unauthorized use of their information, have spent time attempting to offset the results of the data breach, and have suffered from the lost or reduced value of their personal data.

The lawsuit wants actual, nominal, and consequential damages, punitive compensation, injunctive relief, legal charges, as well as a jury trial.

Many Patients Don’t Believe in Their Healthcare Providers to Safely Keep PII and Payment Data

In 2019, the rate of more than 1 healthcare data breach report per day was scary. In 2021, some months had healthcare data breaches happening at a rate of over 2 per day. With data breaches happening so frequently and ransomware attacks affecting healthcare offerings, it is not surprising that a lot of patients don’t fully trust their healthcare companies when it comes to securing sensitive personally identifiable information (PII).

According to a new survey done by Dynata for Semafone, 56% of patients at private practices stated they don’t believe their healthcare providers could safeguard PII and payment data. Smaller healthcare companies have little budget to spend for cybersecurity compared to bigger healthcare organizations, yet belief in big hospital networks is considerably less. Just 33% of patients of big hospital systems believed in them to be capable of protecting their PII.

The HHS’ Office for Civil Rights, the primary body that enforces HIPAA compliance, has increased the enforcement of HIPAA compliance in recent years and is more and more issuing financial fines for violations of the HIPAA Privacy and Security Rule. The survey affirmed that patients would like healthcare companies to deal with financial penalties when they do not make sure the privacy of healthcare information. Of 10 patients, 9 approve penalizing healthcare companies that do not employ proper protections to avert healthcare data breaches.

Additionally, when data breaches happen, patients are happy to switch companies. 66% of patients mentioned they would switch to another healthcare provider in case their PII or payment data was exposed in a data breach that happened because of the inability to carry out proper security procedures. One more 2021 survey, carried out on behalf of Armis, got the same results. 49% of patients stated they will change healthcare providers in case their PHI was exposed to a ransomware attack.

The pandemic has heightened the risk patients deal with because of healthcare data breaches. Prior to the pandemic, a lot of patients settled their hospital bills personally or by mail, however, the Semafone survey revealed a decline in both payment methods, as a lot of patients are now opting to y electronically. In-person payments decreased by 28% and mail-in payments decreased by 17%. As financial data is more likely to be saved by healthcare companies, the risk of financial problems due to a data breach has gone up considerably.

Semafone showed in its 2021 State of Healthcare Payment Experience and Security Report that because of a lot more healthcare data breaches, patients have an increased sense of awareness and attention to what their providers do to safeguard their data. Semafone advises healthcare companies, and particularly big hospital networks, to give more focus on the digital transformation steps they do to secure sensitive data.

Irrespective of size, the whole healthcare sector should do better at managing and avoiding data breaches, stated Gary E. Barnett, Semafone’s CEO. The large number of healthcare data breaches is a problem. Thankfully, there are options that offer security and assistance to satisfy compliance requirements, however many organizations nowadays continue to depend on obsolete processes for day-to-day operations. It is not acceptable to assert they do not know that very efficient, effective, and automated solutions are available to help save time, money, and trouble. Healthcare companies need to seek the appropriate technologies and operations to safeguard the patient experience.

Although the majority of patients (75%) claimed they feel assured that their healthcare companies are doing well at sharing how payment data is protected, only 50% stated they are aware of where their payment information was kept. Considering the big number of people who do not know where their information is kept, providers have a chance to educate and communicate with patients more to, subsequently, enhance the experience and general confidence on the providers from here onwards.

New Jersey Fines Hackensack Healthcare Organizations for PHI Breach and HIPAA Violations

The New Jersey Division of Consumer Affairs has reported a settlement of a data breach investigation that involved violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Regional Cancer Care Associates based in Hackensack, NJ is an umbrella name for three healthcare organizations that manage healthcare facilities in 30 areas in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, certain email accounts of employees were exposed. Employees had responded to targeted phishing emails and revealed their credentials, which granted the scammers to get access to their email accounts as well as the protected health information (PHI) of more than 105,000 people. The email accounts included PHI including names, Social Security numbers, driver’s license numbers, health records, bank account data, and credit card data.

In July 2019, breach notification letters were mailed to 13,047 persons by a third-party provider; nevertheless, the letters were mailed by mistake to the persons’ next-of-kin. The notification letters showed sensitive details like the patient’s medical conditions, such as cancer diagnoses, when permission to disclose that data was not provided by the patients.

In the two cases, the PHI of over 105,000 persons was compromised or impermissibly disclosed, which includes the PHI of about 80,000 New Jersey locals.

According to New Jersey Acting Attorney General Bruck, New Jerseyans fighting cancer must never have to stress about whether their medical care providers are appropriately securing their personal details from cyber threats. Healthcare companies should implement sufficient security measures to protect patient information, and companies that fall short will be held accountable.

Allegedly, the organizations have violated the HIPAA and the Consumer Fraud Act by

  • not being able to make sure the confidentiality, integrity, and availability of patient information
  • not protecting against fairly expected threats to the security/integrity of patient data
  • not implementing security procedures to minimize risks and vulnerabilities to an acceptable level
  • not conducting an accurate and extensive risk assessment
  • not implementing a security awareness and training course for all members of its workforce.

As per the terms of the settlement, three organizations will pay a financial penalty of $425,000 and have to employ additional privacy and security steps to make certain the integrity, confidentiality, and availability of PHI.

The companies must use and adopt a detailed information security plan, a written incident response plan, and cybersecurity operations center, use a CISO to supervise cybersecurity, carry out initial training for workers and annual training on information privacy and security policies, and acquire a third-party evaluation on policies and procedures associated with the collection, storage, maintenance, transmission, and disposal of patient information.

Division of Consumer Affairs Acting Director Sean P. Neafsey stated that organizations have a responsibility to take purposeful steps to protect protected health and personal data and to avert unauthorized disclosures. The Consumer Affairs investigation showed that RCCA did not completely follow HIPAA requirements, but the firms have decided to enhance their security measures to make sure to secure consumers’ information.

New Jersey is very active in HIPAA enforcement. In the past few months, there were settlements reached with two companies for HIPAA and the Consumer Fraud Act violations. A New Jersey fertility clinic paid a fine of $495,000 in October, and two printing businesses paid a penalty of $130,000 in November.

Approximately 50,000 Health Plan Members Affected by Broward County Public Schools Ransomware Attack

In March 2021, Broward County Public Schools based in Florida encountered a ransomware attack and its files were encrypted. According to the breach investigation results, unauthorized individuals first gained access to the school network on November 12, 2020. Ransomware was deployed on March 6, 2021. Broward County Public Schools uncovered the ransomware attack on March 7, 2021.

The hackers issued a ransom demand of $40 million in exchange for the file decryption keys, which was afterward decreased to $10 million, however, the school district did not pay. At first, it did not seem like that any sensitive data was obtained in the ransomware attack, however, on April 19, 2021, it was found out that a number of files kept on its systems were stolen the minute they were published publicly on the Conti ransomware group’s data leak website.

Schools aren’t typically covered by the Health Insurance Portability and Accountability Act (HIPAA), thus HIPAA breach notifications aren’t necessary when student information is compromised; nevertheless, in this case, the school district is actually a HIPAA-covered entity because it runs a self-insured health plan.

It was established on June 8, 2021 that certain files acquired by the attackers contained names and Social Security numbers. Further review of the security breach confirmed on June 29, 2021 that the hackers had viewed and possibly stole the protected health information (PHI) of health plan members, which include names, Social Security numbers, dates of birth, and benefits selection details.

Those people are now being advised regarding the breach and probable theft of their information, more than a year after the first breach of its systems and 5 months after discovering that their PHI had been impacted. Chief Communications Officer Kathy Koch explained the delay in sending notifications as due to “a time-consuming analysis of the data that might have been gotten by the unauthorized party.” No cost credit monitoring services are currently being given.

It is uncertain how many persons, all in all, were affected by the breach, nevertheless, the breach report was sent to the HHS’ Office for Civil Rights as impacting 48,684 persons.

Medical Biller Sentenced to Jail for Identity Theft, Healthcare Fraud, and Tax Crimes

A medical biller based in Tampa Bay, Florida has confessed to four counts of aggravated identity theft, four counts of healthcare fraud, two counts of failure to submit a tax return, and one count of submitting a false tax return.

Joshua Maywalt, 40 years old, was employed as a medical biller at a Clearwater firm that offered medical billing and credentialing services to a variety of healthcare company clients in Florida. As a medical biller, he got access to the firm’s financial information, names of the medical provider, and patient data.

Maywalt had worked on the Tampa Bay area doctor’s account and filed claims to Florida Medicaid HMOs for services given by that doctor to Medicaid recipients. Maywalt tampered with the company’s patient data and utilized the name and ID number of the doctor to file fake and fraudulent claims to a Florida Medicaid HMO for healthcare services that Maywalt reported were given by the doctor when they were not. The “pay to” details on the claims for the fictitious healthcare services was modified to account numbers controlled by Maywalt.

Maywalt was unable to submit a tax return in 2017 and 2018 with the Internal Revenue Service and submitted a fake tax return for the 2019 tax wherein he significantly underreported his earnings since he didn’t include the amounts he paid into his bank accounts from his fake billing activities.

Based on the United States Attorney’s Office, Middle District of Florida, Maywalt will surrender $2.2 million in cash and real estate property, which are directly linked to his crimes. He is currently facing a maximum imprisonment term of 53 years, 10 years for every healthcare fraud count, about 3 years for the falsified filing of tax return, about 2 years for every count of inability to submit a tax return, and a compulsory 2 years for every count of aggravated identity theft. The sentences for aggravated identity theft will be enforced consecutively.

The Department of Health and Human Services’ Office of the Inspector General, the Florida Attorney General’s Medicaid Fraud Control Unit, the Federal Bureau of Investigation, and the Internal Revenue Service – Criminal Investigation investigated the case.

HHS’ Office for Civil Rights Issues 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is carrying on with its implementation of the HIPAA Right of Access compliance and has lately published another 5 financial penalties. The HIPAA Right of Access enforcement effort was introduced in the autumn of 2019 as a resolution to a substantial number of reports from patients who didn’t obtain quick access to their health files.

The HIPAA Privacy Rule demands covered entities to give people access to their health care files. A copy of the medical records must be given in 30 days after the request is submitted, but a 30-days extension can be given in some instances. HIPAA-covered entities are authorized to bill patients for the copy of medical data, however, they may just demand a fair, cost-based rate. Labor costs are simply allowed for duplicating or otherwise producing and sending the PHI right after it has been identified.

The enforcement steps thus far were not enforced for billing excessive sums, just for impermissibly declining to give a copy of the required documents or for unnecessary slowdowns. In a number of cases, patients needed to wait several months before they received a copy of their data.

Based on the most current announcement of OCR, there are up to 25 HIPAA Right of Access enforcement actions released with the 2019 enforcement project.

In the 5 new cases listed, OCR confirmed the healthcare companies violated 45 C.F.R. § 164.524 and did not provide prompt access to protected health information (PHI) regarding the person after getting a request.

Advanced Spine & Pain Management, a healthcare company providing chronic pain-connected medical services in Cincinnati and Springboro, OH, decided to resolve OCR’s investigation and paid for the financial fine. OCR is going to keep track of the provider’s compliance with its corrective action plan for two years. The investigation was prompted by a complaint by a patient who asked for his medical documents on November 25, 2019, however failed to acquire the records up to March 19, 2020.

Denver Retina Center located in Denver, CO, a provider of ophthalmological services, settled its case with OCR and made payment for a $30,000 financial penalty. It will be monitored for compliance with its corrective action plan for 12 months. A patient stated she had requested her medical documents in December 2018 but did not get a copy of her data until July 26, 2019. OCR had provided technical support to the healthcare organization following getting an earlier HIPAA Right of Access complaint from the same patient and closed the case. When proof was obtained concerning continued failure to comply the case was re-opened. OCR established that besides the delay, Denver Retina Center had access policies and protocols that did not comply with the HIPAA Privacy Rule, as demanded by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock) based in Eugene, OR, a residential eating disorder treatment services provider, resolved OCR’s investigation and paid a $160,000 financial penalty and is going to be supervised if complying with the corrective action plan for a year. OCR received three patient complaints about not receiving the requested copy of her health information. The patient asked for a copy of her documents on October 1, 2019, and November 21, 2019, and didn’t get the requested information until May 22, 2020.

Wake Health Medical Group located in Raleigh, NC, primary care and other health care services provider, resolved OCR’s investigation and made a payment of $10,000 as a financial fine and will implement corrective action to avoid other HIPAA Right of Access violations. OCR got a patient complaint after the patient asked for a copy of her medical information on June 27, 2019 and paid a flat fee of $25, which is the normal cost charged by Wake Health Medical Group for giving copies of health documents. By the date of the settlement, the patient still did not receive the requested information.

Cardiovascular disease and internal medicine doctor Dr. Robert Glaser from New Hyde Park, NY didn’t cooperate with OCR at the time of the investigation, though didn’t argue the results and waived his right to a hearing. OCR imposed a civil monetary penalty of $100,000. An investigation was launched right after getting a complaint from a former patient who stated he had submitted several written and verbal requests for a copy of his medical documents between 2013 and 2014. The complaint was sent to OCR on November 9, 2017, which was closed by OCR on December 15, 2017, subsequent to telling Dr. Glaser to check the complaint and deliver the asked for documents if the requests were consistent with the HIPAA Right of Access. The patient submitted a further complaint to OCR on March 20, 2018, and furnished evidence of more written requests. OCR tried to get in touch with Dr. Glaser on a number of occasions by letter and phone, nevertheless, he repeatedly did not respond, therefore the decision to issue a civil monetary penalty.

Upstate Homecare, Sarasota MRI, and Consociate Health Notify Patients About Data Breaches

Upstate Homecare, Consociate Health and Sarasota MRI, and have recently alerted regulators and patients regarding security incidents affecting their personal data and protected health information (PHI).

Upstate Homecare Informs 5,100 Patients Regarding Ransomware Attack

The home healthcare provider based in Albany, NY, Upstate Healthcare, has informed 5,114 patients concerning a recent ransomware attack whereby patient information was stolen.

The breach notification letters did not state clearly when the attack occurred; nevertheless, a third-party cybersecurity company conducted an investigation and determined on November 4, 2021 the theft of patient data and the posting of the information to a data leak website on the darknet.

The stolen information included full names, email addresses, physical addresses, dates of birth, telephone numbers, driver’s license numbers, Social Security numbers, bank account details, treatment data, patient ID numbers, physicians’ names, and Medicaid/Medicare numbers.

After the attack, Upstate Healthcare carried out a thorough evaluation of its security measures and has put in place extra safeguards to better secure its systems and data against pending attacks. Affected people were alerted on November 24, 2021, and received offers for complimentary access to identity theft monitoring and restoration services.

Sarasota MRI Alerts Patients Concerning Potential PHI Compromise

Sarasota MRI located in Florida has begun notifying selected patients regarding the likely breach of some of their protected health information. In late July 2020, a third-party, unaffiliated cybersecurity agency contacted Sarasota MRI to inform it about the misconfiguration of its servers, which permitted the access of information on the server.

It was confirmed that the affected server was not in use and information had been transferred to another server. In addition, an evaluation of the server showed no evidence that suggests access by unauthorized persons, apart from the security firm that discovered the wrong configuration.

Nonetheless, because it wasn’t possible to exclude the exposure of individuals’ names, birth dates, health data, and medical photos, affected persons are now being informed. Based on the breach notification letter sent to the Vermont attorney general last November 12, 2021, Sarasota moved immediately to repair the problem and performed an investigation into a possible breach, and took action to protect its systems.

Consociate Health Detects Breach at Employee Benefits Plan Administrator

Consociate Health, a company providing employee benefits programs and plan administration services, has just finished a 10-month investigation into a data breach impacting the PHI of 982 people. The investigation revealed the breach just impacted the PHI of persons from January 1, 2014, through December 31, 2015.

The types of information exposed included names, addresses, dates of birth, diagnosis codes, medical record numbers, medical insurance data, medical record data, and Social Security numbers.

There was no proof found that suggests the misuse of any PHI has however, as a safety measure, affected people got 12-months free access to identity theft monitoring services.

Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply

Three Rivers Regional Commission, Retinal Consultants Medical Group, and ACE Surgical Supply have recently reported cyberattacks whereby unauthorized individuals may have obtained the protected health information (PHI) of patients.

11,603 Retinal Consultants Medical Group Patients Affected by Hacking Incident

Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, states it encountered a sophisticated cyberattack that was discovered on or around July 12, 2021 and resulted in a service disruption.

Vitreo-Retinal Medical Group hired third-party cybersecurity specialists to help re-establish its systems and inspect the nature and magnitude of the attack. Although the investigation confirmed that unauthorized people had acquired access to its computer network, it did not say if the unauthorized individual accessed or exfiltrated any PHI. No report was obtained that suggests actual or attempted patient data misuse.

A thorough manual and programmatic evaluation of the affected systems affirmed the potential compromise of the following types of sensitive information: name, address, date of birth, medical problem or treatment details, medical record number, patient account number, diagnosis code, Medicaid/Medicare data, name of treating physician, health insurance details, and username/password. The Social Security numbers of a limited number of patients were also kept on the impacted systems.

Vitreo-Retinal Medical Group reports that third-party cybersecurity specialists were helping with the analysis of its security systems and extra measures will be put in place, as needed, to enhance data security.

The medical group sent notifications to the affected persons starting on November 9, 2021, and complimentary credit monitoring services were given where necessary.

2,000 Patients Impacted by Three Rivers Regional Commission Ransomware Attack

The regional planning organization located in Griffin, GA, Three Rivers Regional Commission, has found out that unauthorized persons may have obtained the PHI of about 2,000 people due to a ransomware attack.

The attack was discovered on July 20, 2021, when staff members could not access its computer systems. Third-party cybersecurity professionals assisted Three Rivers Regional Commission to find out whether the attacker acquired access to its systems between July 18, 2021 and July 20, 2021 and prior to deploying ransomware, exfiltrated files that contain sensitive records.

The forensic investigation is not yet over and breach notification letters will be sent to the impacted persons upon identification of their identities and contact data. At this period, these types of details are considered to have been exfiltrated in the attack: Name, Social Security number, address, driver’s license number, and medical data, such as diagnosis and treatment details, lab test results, medicines, and Medicare/Medicaid ID numbers.

Three Rivers Regional Commission stated it is using extra administrative and technical safeguards to safeguard the records in its systems.

Cyberattack on ACE Surgical Supply Affects 12,122 People

ACE Surgical Supply based in Brockton, MA has learned that an unauthorized person has accessed its IT environment and may have viewed or acquired the protected health information of 12,122 people.

The attacker accessed its IT systems on June 29, 2021. The breach was identified the same day. The investigation affirmed that the impacted systems held personal information as well as financial account numbers, debit/credit card data, and details that could possibly permit account access.

ACE Surgical Supply mentioned affected persons were provided two-year credit monitoring and identity theft protection services for free.

More than 650K Patients of Community Medical Centers Informed Concerning Hacking Incident

Hackers potentially obtained the protected health information (PHI) of more than 650,000 patients of Community Medical Centers (CMC) based in California.

CMC is a not-for-profit network of community health centers that serve patients in the Solano, San Joaquin, and Yolo counties in Northern California. CMC noticed suspicious activity in its computer systems on October 10, 2021, and de-activated its systems to stop further unauthorized access. An investigation was begun to know the nature and magnitude of the breach, with support provided by third-party cybersecurity specialists.

The forensic investigation affirmed that unauthorized people had obtained access to areas of its network where protected health information was saved, which include first and last names, dates of birth, mailing addresses, Social Security numbers, medical data, and demographic details.

Because of the sensitive nature of the compromised data, CMC is giving complimentary identity theft protection, identity theft resolution, and credit monitoring services to affected persons. CMC mentioned it has affirmed its systems are now secure, policies and protocols have been evaluated and updated to enhance security, and information management policies were examined and updated.

CMC has notified law enforcement about the breach, including the appropriate state attorneys general and the Department of Health and Human Services.

The breach report sent to the Maine attorney general states that the PHI of 656,047 people were possibly exposed.

Professional Healthcare Management Suffers Ransomware Attack

Professional Healthcare Management (PMH) has started sending notifications to some patients regarding the potential compromise of some of their PHI in a ransomware attack that happened in September 2021.

PMH discovered the attack on September 14 and quickly took action to secure its servers and workstations. Third-party cybersecurity and incident response professionals helped PMH to promptly protect and reestablish its networks and operations. The healthcare provider conducted an investigation to find out the nature and extent of the breach and confirmed that hackers potentially obtained the personal data and PHI of patients.

The breach investigation is ongoing however, at this point, no evidence of patient data theft or misuse has been identified; nevertheless, notification letters are currently being delivered to impacted persons and the incident report was sent to the HHS’ Office for Civil Rights.

PMH said the following types of patient information were likely compromised: Social Security numbers, first and last names, health insurance details (Medicaid number, Medicare number, and insurance identification number), diagnosis code(s), and prescription name(s).

Further safeguards are being put in place to enhance IT security, cybersecurity guidelines, and protocols are being modified, and extra cybersecurity training was given to the employees.

UPMC Hacker Gets Maximum Sentence of 7 Years in Prison

The hacker behind the unauthorized access to the University of Pittsburgh Medical Center (UPMC) data storage and theft of the W-2 details and personally identifiable information (PII) of around 65,000 UPMC workers has been presented with the maximum punishment for the violation and will be in prison for 7 years.

Sean Johnson, from Detroit, Michigan, otherwise known as TheDearthStar and Dearthy Star – hacked into the UPMC data bank in 2013 and 2014 and took highly sensitive details. Then he offered for sale the stolen information on dark web hacking sites. Identity thieves utilized the data to file bogus tax returns in the names of UPMC workers. The Department of Justice (DOJ) additionally alleged Johnson performed more cyberattacks between 2014 and 2017 and stole the PII of another 90,000 persons. Those sets of records were likewise marketed to identity thieves on dark web sites.

A total of $2.2 million fake tax returns were registered and approximately $1.7 million was paid out by the IRS. The money gotten were changed to Amazon gift cards and were utilized to order high-value merchandise that were transported to Venezuela.

Three co-collaborators of Johnson were detained and charged for their part in the UPMC attack. In August 2016, Cuban Yolandy Perex Llanes was deported to America. In April 2017, he pleaded guilty to doing cash laundering and aggravated identity theft. He also got sentenced to 6 months in jail in 2017.

In April 2017, Justin A. Tollefson from Spanaway, Washington pleaded guilty to committing four counts of utilizing the compromised identities of UPMC staff members to file fake tax returns. He had purchased the PII on a dark website and employed the information to submit bogus tax returns using the names of 4 UPMC staff. $56,333 was disbursed by the IRS in income tax refund amounts, nevertheless, Tollefson was busted before he had gotten any money. The judge was easygoing as Tollefson hadn’t profited from the theft and penalized him to three years of probation in 2017.

Maritza Maxima Soler Nodarse, a citizen of Venezuelan, pleaded guilty to doing conspiracy to deceive the United States in July 2017 for her part in the identity theft and tax fraud criminal acts. She was given a 16-month sentence in jail and was repatriated to Venezuela.

Johnson got the maximum sentence even after pleading guilty to the hacking offenses as a result of the degree of the offenses and the consequence they had on the victims. Chief United States District Judge Mark R, Hornak explained Johnson’s actions were dreadful to victims and his hacking work exhibited no consideration for them. “The actions of hackers just like Justin Johnson can have long-term and damaging consequences on innocent individuals.

Johnson was punished to spend 5 years in prison for the conspiracy to con the U.S. charge and a compulsory 2-year sentence for aggravated identity theft, with the sentences to go one after another.

The information stolen by Justin Johnson consists of the names, addresses, Social Security numbers, and salary data of countless UPMC personnel. He sold that personal data on the dark website so that other scammers could additionally take advantage of his victims. Today’s sentence sends a dissuasive message that hacking has really serious penalties.

Ransom Disclosure Act Demands Disclosure of Payments to Ransomware Gangs Within 48 Hours

New legislation was created that calls for ransomware attack victims to reveal any ransom payments made to the attackers to the Department of Homeland Security (DHS) in 48 hours after paying the ransom.

Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) introduced the Ransom Disclosure Act. The bill aims to give the DHS the information it needs to look into ransomware attacks and enhance information about how cybercriminal enterprises work, therefore permitting the DHS to obtain a better idea of the ransomware threat experienced by the United States.

From 2019 to 2020, ransomware attacks increased by 62% globally, and by 158% in America. The Federal Bureau of Investigation (FBI) had gotten 2,500 complaints concerning ransomware attacks in 2020, 20% higher compared to the earlier year and $29 million more reported losses because of ransomware attacks in 2020. Not all ransomware attacks are documented. A lot of victims decide to silently pay the hackers to get the keys to decrypt their files and avoid the public disclosure of any breached data in the attack.

Chainalysis thinks ransomware gangs globally got paid about $350 million in cryptocurrency in 2020, which is increased by 311%. Attacks have persisted to increase in 2021. As per Check Point’s mid-year security report, the first half of 2021 had 93% more ransomware attacks than the equivalent time period last year.

Just as the ransomware attack on Colonial Pipeline showed, the people behind these attacks present a considerable national security danger. That attack led to the closure of a big fuel pipeline for about a week. The attack on JPS Foods impacted food production, and the big number of attacks on the healthcare sector has affected the capability of healthcare providers to provide treatment to patients. This year, CISA stated ransomware attacks slow down care and impact patient outcomes, and there was a fatality in the U.S. which is claimed to have been because of a ransomware attack.

Ransomware attacks continue to go up considering that they are profitable and provide ransomware groups and their affiliates a very good profit. There is also little threat of being captured and brought to courts. Sadly, investigations of ransomware gangs may be hampered by insufficiency of information, therefore the intro of the Ransom Disclosure Act.

Although the FBI prompts the ransomware attacks reporting to help investigations, it is not obligatory. Sad to say, since victims are not mandated to report ransomware attacks or payments to federal authorities, the vital data required to understand these cybercriminal groups is lacking to deter these intrusions, stated Congresswoman Ross. This law will implement crucial reporting requirements, which include the amount of ransom demanded by the attackers and paid, and the type of currency employed. The U.S. can’t continue to battle ransomware attacks without knowing this information.

The Ransom Disclosure Act will necessitate:

  • Ransomware victims (except individuals) to make known any ransom payments in 48 hours after making the payment, which includes the amount, currency utilized, and any details that were collected on the entity demanding the ransom.
  • The DHS will need to publish data compromised during the prior year concerning the ransoms paid, excluding identifying data related to the entities who paid.
  • The DHS will have to create a website for persons to voluntarily report payments of ransom.
  • The Secretary of Homeland Security will be asked to perform research on commonalities among ransomware attacks and the magnitude to which cryptocurrency was needed the attacks, and give recommendations for safeguarding information systems and boosting cybersecurity.

Guidance about HIPAA and COVID-19 Vaccination Status Disclosures Published by OCR

The Department of Health and Human Services’ Office for Civil Rights has given guidance to instruct people regarding the application of the Health Insurance Portability and Accountability Act (HIPAA) Rules to disclosures of COVID-19 vaccination status data and requests from persons regarding whether a man or woman has received vaccination against COVID-19.

OCR pointed out in the guidance that HIPAA is applicable to HIPAA-governed entities. HIPAA-covered entities refer to the healthcare providers, health plans, and healthcare clearinghouses that carry out routine electronic transactions, and business associates of those entities that get access to or use protected health information (PHI). OCR informed the public that the HIPAA Privacy Rule doesn’t apply to employers or employment data. That comprises details accumulated or kept by HIPAA-governed entities in their capacity as an employer.

OCR discussed how HIPAA is applicable to COVID-19 vaccination details in specific scenarios by means of a website Q&A and says:

The HIPAA Privacy Rule can’t forbid businesses or men and women from inquiring if their customers or clients have acquired a COVID-19 vaccine. Persons who are employed at a HIPAA-covered entity or business associate are not banned from questioning if somebody has been given a vaccine.

The HIPAA Privacy Rule won’t stop customers or clients of an organization from revealing whether or not they have gotten a COVID-19 vaccine.

The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.

The HIPAA Privacy Rule doesn’t hinder a covered entity or business associate from demanding its staff members to reveal to their employers or other persons whether or not the staff members have acquired a COVID-19 vaccine.

OCR has established that, normally, the HIPAA Privacy Rule discourages a doctor’s office from sharing a person’s PHI, such as COVID-19 vaccination data, to the patient’s company or other parties. Such disclosures are permitted if in keeping with other rules and appropriate ethical principles, for example disclosing to a health plan to get paid for providing the vaccine and sharing of such data to public health authorities.

OCR spelled out that there are instances when a HIPAA-covered healthcare facility is granted to disclose PHI pertaining to a patient’s vaccination condition to the person’s boss.

This is solely possible to enable the workplace, to perform an analysis associated with medical monitoring of the workplace (e.g., surveillance of the spread of COVID-19 in the labor force), or to examine if the person has a work-connected health issue. In such circumstances, disclosures are merely authorized if all the subsequent conditions are satisfied:

The covered hospital is giving the health care service to the man or woman as requested by the individual’s boss or as a fellow member of the employer’s employed pool.

The PHI that is shared involves results about work-associated health issues or workplace-linked medical monitoring.

The company needs the information so as to follow its commitments under the appropriate governing bodies of the Mine Safety and Health Administration (MSHA), the Occupational Safety and Health Administration (OSHA), or state legislation with the same goal.

The covered health care company presents written notice to the patient that the PHI linked to the medical monitoring of the work area and work-connected ailments will be revealed to the manager.

This guidance is being issued to support individuals, organizations, and health care entities to know when HIPAA can be applied to disclosures about COVID-19 vaccination state and to make certain that they already have the details they need to have to make well-informed judgments concerning securing themselves and other individuals from COVID-19.

Lisa J. Pino is the New HHS’ Office for Civil Rights Director

Lisa J. Pino is now the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR). She replaced Robinsue Frohboese, who was the acting OCR Director after the resignation of Roger Severino in the middle of January.

It is the primary responsibility of OCR to ensure that covered entities comply with the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification Rules, Patient Safety Rule, and the Patient Safety and Quality Improvement Act, in addition to the enforcement of federal civil rights, conscience, and religious freedom legislation.

Pino from New York City speaks Spanish and is the first-generation daughter of immigrant parents. She finished her B.A., M.A., and J.D. at Arizona State University with honors. Then, she took a leadership program at Harvard Kennedy School as a National Hispana Leadership Institute Fellow.

Pino was a legal aid lawyer in the Southwest, fighting for migrant farm workers’ rights. Her civil rights activities continued as she worked for the United States Department of Agriculture (USDA) as USDA Deputy Assistant Secretary for Civil Rights and USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP).

While working at the USDA, Pino drafted USDA’s first gender identity anti-discrimination program rules as well as its first USDA limited English proficiency guidance. She played a major role in making sure that minority farmers get their benefits granted via class action settlements with her guidance of the outreach and engagement activities of the USDA.

Pino was also a senior executive service appointed by President Barack Obama and worked as Senior Counselor at the U.S. Department of Homeland Security (DHS). There, she took a major function in the mitigation of the biggest federal data breach ever, the hacking of the information of 4 million federal employees and 22 million surrogate profiles in 2015, by negotiating again the 700 vendor procurements and the setting up of new cybersecurity regulatory program.

Lately, Pino worked as New York State Department of Health’s Executive Deputy Commissioner, which is the agency’s second top executive position. During this time, Pino led the New York’s operational COVID-19 pandemic response and the program development for Medicare, Medicaid, Nutrition Program for Women, Infants, and Children (WIC), Wadsworth Laboratories, Hospital and Alternative Care Facility, AIDS Institute, Center for Environmental Health, and Center for Community Health.

Lisa is an outstanding public servant. Her range of experience and administration expertise, in particular her work in improving civil rights laws and policy at the U.S. Department of Agriculture (USDA) at the time of the Obama-Biden Administration, is going to help make sure that the rights of each individual throughout the country are protected.

PHI of Dignity Health Patients Contained in Stolen Laptop Computer

Resource Anesthesiology Associates (RAA) of California has begun informing a number of patients of Mercy Hospital Southwest and Dignity Health’s Mercy Hospital Downtown about the theft of a laptop computer that contains some of their protected health information (PHI).

RAA of California is a provider of anesthesiology services at Dignity Health hospitals, which involves getting access to patient information. On July 8, an RAA of California administrator’s laptop computer was stolen. RAA already reported the theft to law enforcement, however, the device is not yet retrieved.

RAA of California carried out an investigation to find out which patient data was saved on the laptop and can possibly be viewed. The review affirmed that these types of data were saved on the laptop: Names, addresses, birth dates, names of providers, dates of service, diagnoses and treatment data, medical insurance data, and other data associated with patients’ health care.

The laptop computer has password protection, which gives it a level of security against unauthorized access. Nevertheless, passwords could be guessed, therefore there is a chance that data on the laptop computer can be accessed by unauthorized persons. RAA of California stated that currently there is no proof identified that suggests the access or misuse of any data saved on the laptop computer.

RAA of California is convinced there is a low risk of patient data misuse, but, as a safety precaution, it is giving impacted persons a free membership to identity theft protection services via IDX. Patients will get a year of CyberScan monitoring and are covered by a $1 million identity theft insurance policy, which comes with completely managed identity theft recovery services.

Jackson Health Investigates Social Media HIPAA Violation Involving a Nurse

Jackson Health is investigating a privacy violation after photos of a baby that has a birth defect were posted on Facebook by a nurse.

A nurse who was employed in the neonatal intensive care unit at Jackson Memorial Hospital shared two pictures on Facebook of a baby having gastroschisis – an uncommon birth defect of the abdominal wall that could make the intestines stick out from the body. The pictures included the captions, “Your intestines posed (sic) to be inside not outside baby! #gastroschisis” and “My night was going great then boom!” The troubling photos were published on accounts that belong to Sierra Samuels.

The sharing of images of patients on social platforms without authorization is a serious violation of patient data privacy. Pictures of patients are considered as protected health information (PHI) and publishing pictures on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) except if prior consent is acquired from the patient.

HIPAA calls for healthcare organizations to provide privacy policy training to personnel. Training should be given within a sensible time frame after a staff joins a covered entity’s staffing and training need to be routinely reinforced. The best practice is to give refresher HIPAA privacy instruction yearly. A sanctions policy should also be created and enforced that clearly states the sanctions workers will deal with in case they violate the HIPAA Laws.

After being informed about the social media posts Jackson Health started an investigation into the privacy breach and quickly placed the nurse on administrative leave impending the outcome of the investigation. Safeguarding patient privacy is the first concern at Jackson Health System. Any probable privacy breach is taken seriously and carefully investigated, stated a Jackson Health spokesperson. Jackson Health additionally confirmed that when staff break patient privacy, in spite of the training, they will be under disciplinary action which may include suspension or dismissal.

OCR Issues 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The 20th financial penalty under the HIPAA Right of Access enforcement initiative has been issued by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Pediatric care provider Children’s Hospital & Medical Center (CHMC) based in Omaha, Nebraska, was required to pay a penalty fee of $80,000 to resolve an alleged HIPAA Right of Access violation and to perform a corrective action plan to take care of the non-compliance found by OCR. OCR will check CHMC’s compliance for one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act provided persons the right to get a copy of their protected health information (PHI) saved by a HIPAA-covered entity, and for parents and legal guardians to acquire a copy of the healthcare data of their minor children. HIPAA-covered entities should give the requested documents within 30 days and may only impose a reasonable cost-based fee for furnishing copies. On several occasions, covered entities could get a 30-day extension, making the maximum time frame for giving the files 60 days from the date the request is gotten.

If people feel their HIPAA rights were violated, they are unable to take legal action against a HIPAA-covered entity regarding the HIPAA violation, nevertheless, they can report a complaint to OCR. In this case, OCR received a complaint from a parent who stated CHMC did not provide her prompt access to her young daughter’s health data.

CHMC got the parent’s request and gave some of her daughter’s medical information but failed to deliver all the requested records. The parent likewise made a few follow-up requests to CHMC. OCR reviewed the incident and confirmed the parent’s request for a copy of her late daughter’s health information on January 3, 2020. A few of the requested files were furnished; nevertheless, the remaining data needed to be acquired from some other CHMC division. A number of the remaining files were delivered on June 20, 2020, with the remainder presented on July 16, 2020. OCR established that this was a HIPAA Right of Access – 45 C.F.R. § 164.524(b) violation.

Aside from the financial charges, CHMC needs to review and update its guidelines and procedures connected to the HIPAA Right of Access, present the policies to OCR for evaluation, and deliver the approved policies to the staff and make certain training is made available.

In general, HIPAA necessitates covered entities to give parents timely access to their minor children’s medical data, if the parent is the child’s personal representative, stated Acting OCR Director Robinsue Frohboese. OCR’s Right of Access Initiative sustains patients’ and personal representatives’ essential right to their health information and highlights the benefit of all covered entities’ conformity with this vital right.