Category: HIPAA News

More and more healthcare organizations are facing legal action because of a ransomware attack that resulted in patient data theft. The Florida Orthopedic Institute, a big orthopedic provider in Florida, is one of the most current healthcare companies to encounter a class action lawsuit due to a ransomware attack.

Florida Orthopedic Institute detected the ransomware attack on April 9, 2020 when employees could not access computer systems and information because the files were encrypted. A third-party computer forensics company was hired to investigate and confirmed on May 6, 2020 that patient data may have been accessed and exfiltrated by attackers. The selection of sensitive information possibly compromised were names, birth dates, Social Security numbers, and medical insurance data. Impacted patients received notification regarding the breach on or about June 19, 2020 and received offers of free identity theft and credit monitoring services for one year. During the issuance of notifications, there is no proof found that indicate the misuse of patient data.

Not long ago, lawyer John Yanchunis of Morgan & Morgan filed legal action against Florida Orthopedic Institute located in Hillsborough County, FL. The lawsuit alleges that the healthcare provider did not implement the right safety measures to make sure the privacy of patient information. He stated that surely, cyber criminals got hold of this information and used it maliciously.

The lawsuit claims the healthcare company was lackadaisical, not serious, careless, or negligent with regard to keeping the privacy of its patients and standard cybersecurity guidelines were not observed. Aside from negligence, the legal case alleges intrusion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and breach of Florida’s Deceptive and Unfair Trade Practices Act.

Although patients were provided free identity theft protection services, Attorney Yanchunis states that one year of identity theft protection services is not sufficient to secure victims, given that impacted persons currently deal with a higher risk of financial problems due to the breach for several years in the future.

The lawsuit wants longer credit monitoring for victims and a minimum of $99 million in damages for the present and past patients.

There is no posting yet about the incident on the HHS’ Office for Civil Rights breach portal, consequently, the number of patients impacted by the attack is presently uncertain. Based on the lawsuit, there are no less than 100,000 patients impacted and possibly over 150,000.

Various recent ransomware attacks have resulted in lawsuits, for example, the attack on BST & Co CPAs LLC and DCH Health System. Grays Harbor Community Hospital just lately recommended a $185,000 settlement to pay for the class action lawsuit submitted on account of a breach victim.

Grays Harbor Community Hospital and Harbor Medical Group agreed to the proposed settlement of the class-action lawsuit filed by the representative plaintiff over a ransomware attack in June 2019 that caused patient data encryption.

The plaintiff and Grays Harbor discussed the settlement to avoid the uncertainty of a trial and the expenditures of further litigation. The Court did not decide the settlement in favor of either party.

The Washington healthcare provider identified the ransomware attack in June 2019 and shut down its systems to block the virus, but it was too late as its computer systems were already encrypted. Grays Harbor created data backups in case of such an incident. However, the ransomware attack encrypted the backup files as well. The provider’s electronic health record system was also inaccessible for about two months.

The attackers demanded a ransom of $1 million for the keys to decrypt the data. Gray’s Harbor got an insurance policy that covers up to $1 million, though it is uncertain whether that insurance policy covered expenses and paid for the ransom demand. Irrespective, it was not possible to retrieve all encrypted data in the attack. The protected health information (PHI) of some patients was not retrieved.

The lawsuit claimed the provider violated several rules including the:

• Washington State Uniform Healthcare Information Act
• Washington State Consumer Privacy Act
• State Constitution’s Right to Privacy

The lawsuit further claimed that Harbor Medical Group and Grays Harbor Community Hospital neglected to secure the privacy of patients and had a breach of implied contract, a breach of express contract, and an intrusion of privacy.

The agreed settlement entailed no admission of liability on the part of Harbor Medical Group and Grays Harbor Community Hospital. All claims mentioned in the lawsuit were denied.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement amount of $185,000 for covering the claims of the 88,000 patients affected by the ransomware attack. Patients affected by the breach can submit claims for a maximum of $210 per person to cover out-of-pocket expenses incurred because of the breach and approximately three hours of documented lost time handling the after-effects of the breach at a price of $15 per hour.

Claims as high as $2,500 can also be filed for other provable losses acquired that were more possible than not because of the ransomware attack. All available credit monitoring insurance and identity theft insurance should be depleted before Grays Harbor is accountable for any bigger payouts. When the claims go over $185,000 they will be paid pro-rata to minimize costs.

Class members have until July 27, 2020 to exempt themselves from the settlement or file an objection. There will be a fairness hearing on August 31, 2020. To get a share of the settlement fund, submit a claim by December 23, 2020.

Subsequent to the ransomware attack, the provider took steps to improve security and spent more than $300,000 in information security. Another $60,000 will be invested in security enhancements over the next three years.

This data breach settlement is the second announcement this week. The first settlement was proposed by UnityPoint Health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. UnityPoint Health agreed to settle claims for $2.8 million or more as there is no cap on claims payments.

Philips has identified an authentication bypass problem that impacted Philips Ultrasound Systems. An attacker could potentially exploit this issue to access or change information. The vulnerability is caused by the presence of an optional path or approach that may be employed to circumvent authentication controls.

The vulnerability is referred to as CVE-2020-14477. It is a vulnerability regarded as low severity with an assigned CVSS v3 base rating of 3.6 out of 10. In order for an attacker to exploit the vulnerability, local access to an insecure system is necessary. Remote exploitation of the vulnerability is not possible. Further, exploiting this vulnerability does not endanger patient safety.

The vulnerability has been reported to impact the Philips Ultrasound Systems listed below:

• Ultrasound Xperius all versions
• Ultrasound ClearVue Versions 3.2 and earlier versions
• Ultrasound EPIQ/Affiniti Versions VM5.0 and earlier versions
• Ultrasound CX Versions 5.0.2 and earlier versions
• Ultrasound Sparq Version 3.0.2 and earlier versions

The vulnerability has been fixed for the VM6.0 release of the Ultrasound EPIQ/Affiniti systems. Consumers using these systems ought to get in touch with their Philips representative for more details about the update installation.

Consumers of all other impacted systems should wait until quarter 4 of 2020 for the release of an update. Philips is going to resolve the vulnerability in Ultrasound CX Version 5.0.3, Ultrasound ClearVue Version 3.3 and Ultrasound Sparq Version 3.0.3 release in quarter 4 of 2020.

For the time being, as a temporary safety measure, Philips advises users to make sure that their services providers check device integrity when conducting service and repair procedures. It is additionally a good idea to employ physical security measures to stop unauthorized persons from accessing the devices.

CHI St. Luke’s Health-Memorial Lufkin in Texas began sending notifications to patients about the potential unauthorized access of some of their protected health information (PHI).

An investigation of a data breach by the threat management team of St Luke’s was conducted on March 25, 2020. Third-party experts performed a forensic investigation and confirmed on April 23, 2020 that an unapproved outside party potentially accessed two employees’ email accounts.

The investigators did not find any evidence supporting unauthorized access or theft of data, however, the possibility cannot be eliminated. The email accounts held information such as names, diagnosis data, facility account numbers, and dates of services. According to the investigation, St. Luke’s is convinced that no patient data was used inappropriately. However, certain patients received offers of free credit monitoring services via Experian as a precautionary measure.

St. Luke’s investigated the security breach extensively, checked data access logs, and performed a threat intelligence analysis. The provider reset all passwords across the facility, changed and upgraded hardware, improved security by making changes to software, and modified processes for network access.

The HHS’ Office for Civil Rights has not published the breach yet on its breach portal, hence the number of patients affected by the breach is still uncertain.

PHI of 11,500 Iowa Total Care Members Compromised Due to Email Error

Iowa Total Care learned that an employee impermissibly disclosed the PHI of thousands of patients. On April 29, 2020, the employee emailed an Excel file that contains claims information to a big provider organization. The Excel file enclosed the PHI of patients that had not gotten healthcare at the organization.

The spreadsheet included 11,581 patients’ names, birth dates, Medicaid ID numbers, procedure and diagnosis codes. Iowa Total Care is a HIPAA covered entity hence is informed of the requirement to secure PHI and has stated that the Excel file was deleted and it was not copied or shared.

Iowa Total Care has re-trained the involved employee and carried out more safety measures to avert the same mistakes in the future.

633 Patients’ PHI Lost at RiverPointe Post Acute

RiverPointe Post Acute Carmichael, CA informed 633 nursing home residents about the exposure of some of their PHI. The provider sent a USB storage device that contains names, some Social Security numbers and insurance ID numbers by mail but the device went missing in transit. The postal office was informed about the loss prompting a search for the storage device, but it cannot be found.

Although no particular evidence was discovered to suggest the device was taken by an unauthorized person, affected people were offered free identity theft protection services as a safety measure. Additional training on data security is being given to employees.

Patients of Episcopal Health Services Inc. located in Uniondale, N.Y. filed a legal case in relation to the exposure of their private and protected health information due to a phishing attack in 2018. The New York State Supreme Court has kicked back the legal case for further proceedings.

The lawsuit claims Episcopal Health Services was unable to secure the private details of its patients from unauthorized disclosures. Because of those setbacks, certain employee email accounts of Episcopal Health Services encountered a breach from August 28, 2018 to October 5, 2018. The types of sensitive data held in the email accounts included the patients’ names, dates of birth, addresses, Social Security numbers, and financial data. The PHI of about 218,000 patients was compromised in this email system breach.

The legal case named three plaintiffs, both of which were St. John’s Episcopal Hospital’s patients. They alleged they experienced injuries due to the compromise of their personal data. The case referred to the Federal Trade Commission (FTC) Act and the Health Insurance Portability and Accountability Act (HIPAA), with the plaintiffs alleging that Episcopal Health Services had broken those rules. The plaintiffs likewise claimed there was a breach of implied contract, breach of fiduciary duty, a delayed sending of notifications about the breach, and negligence regarding the employment and training of its personnel.

Episcopal Health Services took away the lawsuit from the New York State Supreme Court, purporting that the claims were covered by HIPAA and the FTC Act, which are federal rules. The defendant likewise wanted to have the legal case dismissed due to a lack of standing and inability to assert a claim.

The legal case was kicked up to the U.S. District Court for the Eastern District of New York, which not long ago determined that the legal action didn’t bring up any concerns related to federal law. Though The FTC Act and HIPAA were mentioned in the legal case, the claims weren’t founded on HIPAA or FTC Act violations, rather they were typical law causes of action. There’s no private cause of action in either HIPAA or the FTC Act. Actions could simply be undertaken for breach of HIPAA by the Department of Health and Human Services or State Attorneys General, whereas the FTC Act could merely be enacted by the Federal Trade Commission.

District Court Judge Dora L. Irizarry determined that the District Court had no power to preside the lawsuit, thus the lawsuit was returned to the New York State Supreme Court for other proceedings. There is no regulation done on Episcopal Health Services’ motion to disregard the legal case.

The United States Attorney’s Office of the Western District of Pennsylvania reported the arrest of a suspect who was charged for hacking the University of Pennsylvania Medical Center (UPMC) human resources databases in 2014.

UPMC operates 40 hospitals in 700 outpatient sites and doctors’ offices and has more than 90,000 employees. In January 2014, UPMC found out that a hacker accessed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC employees is contained. The stolen data in the attack was allegedly offered for sale on the darknet. There were names, dates of birth, addresses, salary and tax data, and Social Security numbers included.

The suspect was named as Justin Sean Johnson. He is 29 years old from Michigan who formerly worked at the Federal Emergency Management Agency as an IT specialist.

On May 20, 2020, Johnson, who worked under the monikers TDS and DS, was accused of the following 43 counts: one count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Allegedly, Johnson hacked into the database, exfiltrated PII, and offered for sale the stolen information on darknet marketplaces like AlphaBay Market to several global buyers. Prosecutors additionally state that Johnson sold other PII on the darknet forums besides the PII of UPMC workers from 2014 to 2017.

The stolen UPMC PII was eventually used in an extensive campaign to dupe UPMC employees. Hundreds of bogus tax returns were filed in the names of UPMC employees, which prosecutors point out led to about $1.7 million in fake refunds being released. Those refunds were converted into Amazon gift cards that were used to get about $885,000 in goods, which were mostly delivered to Venezuela to be marketed in marketplaces online.

Two other folks were charged in 2017 in association with the hacking of UPMC:

• Maritza Maxima Soler Nodarse, a Venezuelan national who pleaded guilty to conspiracy to defraud the United States and was engaged in submitting bogus tax returns was sentenced to time served and was deported.
• Yoandy Perez Llanes, a Cuban national who pleaded guilty to money laundering and aggravated identity theft, is waiting for his sentence in August 2020

The breach investigation revealed that the hacker got access to the OracleSoft database first on December 1, 2023. After accessing the database, the hacker performed a test query and accessed the data of roughly 23,500 individuals. Between January 21, 2014 and February 14, 2014, the hacker accessed the database multiple times every day and stole the data of thousands of UPMC employees.

Johnson faces a long prison term if found at fault of the offenses. The conspiracy charge carries a 5 years maximum prison term and a fine of as much as $250,000. The wire fraud charges carry a 20-years maximum prison term and a fine of approximately $250,000 for each count and, there will be an obligatory 2-year prison term for aggravated identity theft and a fine of about $250,000 for each count.

The healthcare sector is a major target of cybercriminals wanting to steal personal information for use in fraudulence; the Secret Service is determined to discovering and arresting those that participate in offenses that exploit the Nation’s critical systems to turn a profit.

Hackers like Johnson ought to know that the U.S. Secret Service will not stop going after them until they are in custody and made accountable for their crimes.

On June 16, 2020, The National Association of Attorneys General (NAAG) wrote a letter to Google and Apple to convey concern about consumer privacy associated with COVID-19 contact tracing and exposure notification software. NAAG has recommendations to help secure the personally identifiable information and sensitive health data of the hundreds of thousands of people who will be advised to download the apps to help manage COVID-19.

Although digital contact tracing could offer a useful tool to track the spread of COVID-19 and support the public health action to the pandemic, such technology poses a threat to consumers’ personally identifiable information, including sensitive health information, that could keep going much longer the present public health emergency finishes.

Privacy protections are important for making sure that users of the apps do not have sensitive data exposed or utilized for intentions other than assisting to handle the spread of COVID-19. Without privacy protections, users probably won’t download the apps, which will reduce their effectiveness. A study performed by the University of Oxford indicates that to achieve the aims of the apps, there must be an uptake of about 60% of a populace. If customers feel their privacy is in danger, that figure won’t be achieved.

Current perceptions concerning the privacy protections associated with COVID-19 contact tracing apps were looked into in a recent survey carried out on behalf of the antivirus company Avira. Of the 2,005 respondents in the United States, 71% reported they do not have a plan to utilize the apps if they are offered. 44% were worried about digital privacy, 39% stated the apps offered a false sense of security, 37% stated they think the apps won’t work, and 35% do not believe the app companies.

The survey unveiled that the majority of consumers do not have confidence in Apple and Google to safeguard the data gathered by the programs. Just 32% of respondents stated they believe the companies to safeguard their sensitive data, though both companies have taken action to implement privacy and security controls. There is even reduced trust in the government. Just 14% of respondents mentioned they would believe in contact tracing apps given directly by the government. 75% of U.S. citizens mentioned they think their digital privacy would be in danger when COVID-19 contact tracing information was made accessible to the government and authorities.

The letter that 39 state attorneys general signed had raised concerns regarding the different contact tracing apps available in the Google Play and Apple App Store. These apps are usually free to get and use and have in-app ads to make income. Instead of using Google and Apple’s API and Bluetooth for determining possible exposure, the apps rely on GPS tracking.

The state AGs furthermore stated concern that as more and more public health authorities start to release contact tracing apps that utilize the Google and Apple API, it is probable that many more developers will begin launching apps, and those apps may not have the required privacy and security configurations to abide by states’ policies.

Google and Apple were recognized for taking steps to make sure that consumer privacy is secured. NAAG has asked any contact tracing application that is labeled or sold as associated with COVID-19 to be associated with either a municipal, county, state, or federal public health agency, or a hospital or university in America that is working with such public health authorities.

NAAG moreover required Google and Apple to ensure that all COVID-19 contact tracing applications will be taken out from Google Play and the Apple App Store in case they aren’t associated with the above organizations, and for Google and Apple to pledge that all COVID-19 apps will be taken out from Google Play and the App Store as soon as the COVID-19 national public health emergency ends.

This year, due to the COVID-19 public health emergency, the HHS’ Centers for Medicare and Medicaid Services (CMS) extended the coverage of telehealth service by including all Medicare beneficiaries, no matter location.

Telehealth services remove the obstacles to in-person health care that the COVID-19 pandemic created and enable healthcare practitioners to deliver treatment to patients in their own houses and, in so doing, make patient protection and management of the spread of COVID-19 possible. The widening of coverage is only applicable during the coronavirus public health emergency, though calls have been growing for the expanded CMS telehealth policies to remain after the public health emergency is proclaimed over.

On June 9, 2020, STAT News held a virtual event where CMS Administrator Seema Verma stated she supported the irreversible expansion of having telehealth services. The FTC has additionally weighed, with executives stating their support for the permanent elimination of the geographical rules and ongoing expansion of the types of services that could be offered by telehealth.

On May 21, there were 32 House members who signed a letter recommending the Congress to provide telehealth more time to show itself and asked for the relaxation of telehealth rules to keep going after the COVID-19 emergency period. The extension will make sure that adequate data is gathered to find out which of the new flexibilities ought to be made irreversible.

A lot of providers and patients throughout the United States have availed telehealth services at the time of the public health emergency and telehealth has risen in popularity with health providers and patients alike. It looks possible that telehealth will be here to stay, and virtual consultations will replace in-person care in particular cases.

Telehealth was made considerably simpler for healthcare providers by the HHS’ Office for Civil Rights, which released a notice of enforcement discretion saying that there won’t be penalties and sanctions imposed on healthcare providers for the good faith use of non-HIPAA-compliant communication platforms for delivering telehealth services. That notice of enforcement discretion is only applicable for the duration of the public health emergency, after which healthcare providers will have to use HIPAA-compliant platforms. Any provider that is not yet utilizing a HIPAA-compliant telehealth software must now think about making the change.

One HIPAA-compliant solution that became very popular at the time of the pandemic is TigerTouch from TigerConnect. TigerTouch brings together video, voice, and SMS into one hassle-free mobile and desktop application which permits internal communication between care team members and patient communication by means of the same application. The solution additionally features the sharing of files and medical photos and is completely HIPAA-compliant, so ePHI is securely shared. Healthcare providers that have used the solution report considerable cost savings, better patient care, improved workflow efficiency, and happier staff and patients.

TigerConnect organized a webinar to present the solution and demonstrate how the integrations and telehealth capabilities of the system are helping to better the quality of patient care, boost patient safety, and increase patient satisfaction levels.

Watch the webinar on-demand on this webpage.

BST & Co. CPAs LLC, a New York accounting agency, encounted a manual ransomware attack in late 2019. Patients who had their protected health information (PHI) stolen as a result of the breach have filed a legal case against the company.

The lawsuit claims that BST & Co. was negligent for its inability to take proper and acceptable steps to avoid the ransomware attack. Further, the firm didn’t issue a timely and accurate notification to patients affected by the breach. The lawsuit additionally claims the company violated its fiduciary duty to secure sensitive patient data and broke state rules associated to deceitful business procedures.

ST & Co. discovered the ransomware attack on December 7, 2019. The attackers used Maze ransomware and exfiltrated an array of information from the firm before file encryption and then threatened that they will publish the information if no ransom was paid. Because no ransom payment was made, the attackers published the sensitive information on its website.

Based on the breach report filed with the Department of Health and Human Services’ Office for Civil Rights, the breach potentially resulted in the compromise of the PHI of 170,000 people, who were mostly Community Care Physicians patients. Although patient information were published on the internet where it was accessible to any person, BST did not send notification letters to patients until February 14, 2020.

On May 27, 2020, the complainants filed the lawsuit in New York’s supreme court and sought class action status. The lawsuit states that BST & Co. deliberately, willfully, recklessly, or negligently did not take sufficient and valid measures to make sure that its data systems were safe against unauthorized attacks and claims it did not have sufficiently robust computer systems and security measures.

The lawsuit additionally claims BST and its employees did appropriately monitor the network, computer system and patient sensitive data. If they had properly addressed that issue, the attack should have been discovered earlier. The lawsuit alleges that because of the company’s failures,  data thieves now have possession of patient information and the identity of patients are at stake.

The lawsuit seeks compensation for damages, refund of out-of-pocket-costs, the provision of enough credit monitoring services, and demands enhancements to be done on the BST’s security systems to avoid other breaches in the future.

A bipartisan group of Senators presented a bill which seeks to control the use of contact tracing and exposure notification applications for dealing with the spread of COVID-19.

The Exposure Notification Privacy Act is just one of the three bills introduced to control contact tracing applications for the privacy protection of Americans. The other two bills were unable to solicit sufficient support. Hopefully, a bipartisan bill will get a better possibility of being approved.

Technologies in contact tracing and exposure notification are being considered as a means of managing the spread of COVID-19. Both Google and Apple have created the systems necessary for contact tracing through the mobile phone’s low energy Bluetooth. If a user installs a contact tracing application, encounters with another person who has also installed the application will be logged. In case a person is determined to be COVID-19 positive, the logged information in the app will be employed to inform all persons who might be infected because of that individual.

Contact tracing and exposure notification applications are being used in some countries to lessen the spread of COVID-19, however there are risks to personal privacy, which the new bill seeks to resolve.

Sens. Maria Cantwell (D-Washington) and Bill Cassidy (R-Louisiana) introduced the Exposure Notification Privacy Act. The bill is co-sponsored by Amy Klobuchar (D-Minnesota). It seeks to give U.S. citizens the right to control their personal information and at the same time give public health officials the lead in exposure notification development.

The bill calls for the voluntary use of contact tracing and exposure notification applications and developers of the applications must impose options that allow consumers to have strong command with regards to their personal information. The bill restricts the types of information that the application can pick up and the length of time the personal information can be retained.

The apps will only accomplish their purpose if large numbers of people will download the apps. That will only happen if Americans will have confidence that their personal privacy is secured and no personal information will be misused.

The public health agency must be in command of the notification system to protect the personal privacy of people and alert them when they could have been exposed to COVID-19. This bill protects privacy when somebody voluntarily participates to prevent the spread of Covid-19.

The bill regulates the exposure notification systems to permit only medically authorized diagnoses and avoid false reports. The bill demands that the collected personal data using the apps will only be employed for inhibiting the spread of COVID-19. Personal information must never be used for commercial intentions. Besides voluntary participation, the bill will respect the right of Americans to opt-out and demand the deletion of their personal data at any time.

There must be strong security controls to safeguard personal information gathered through the applications and in case of a data breach, the bill requires all affected people to be informed. There will additionally be stringent enforcement procedures to protect consumer rights. Federal and state regulators will have the right to issue financial penalties for violations.

Through the coronavirus crisis, Americans should never have to fret about their confidentiality and security of their personal health information. Although contact tracing can have a crucial role in preventing the spread of COVID-19, this technology cannot be used at the expense of public health privacy.

The healthcare provider Aveanna Healthcare based in Atlanta, GA is facing a class-action lawsuit due to a data breach that took place in the summer of 2019. It is one of the largest healthcare data breaches reported this year affecting 166,000 patients.

Aveanna Healthcare is a provider of healthcare services to grownups and children in 23 states and is the largest service provider of pediatric home care in America. In the summer of 2019, a number of email accounts were exposed in a phishing attack. Aveanna Healthcare found out the attack on August 24, 2019 and quickly protected its email accounts. The investigators confirmed that the email account was first breached on July 9, 2019, allowing the attackers to access protected health information (PHI) for more than 6 weeks.

Emails in the compromised accounts included patient data like names, health information, financial data, passport numbers, Social Security numbers, driver’s license numbers, and other sensitive information. It can’t be confirmed whether the attackers viewed the emails and files. There is no evidence found that suggests the theft of patient information during the attack, but it is possible that the attackers downloaded email data before being shut out of the email accounts.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule mandates the sending of a notification to patients affected by data breaches regarding the exposure of their PHI with no unnecessary delay and within 60 days after discovering a breach. The breached entity must also notify the Department of Health and Human Services’ Office for Civil Rights regarding a breach within 60 days.

Aveanna Healthcare postponed issuing breach notifications to affected patients until 2020. Also, the provider only submitted a breach report to the HHS’ Office for Civil Rights on February 14, 2020, which is more than 5 months following its discovery of the breach.

Over 100 patients affected by the breach were involved in the lawsuit. They claim that Aveanna Healthcare did not send timely announcements, and when the announcements were later sent, they did not make clear what types of information were compromised. Aveanna Healthcare patients asserted that the private personal and healthcare information of patients was kept in a careless manner so information kept in the provider’s systems was susceptible to attack.

The lawsuit alleges that Aveanna Healthcare was informed about the risk to patient data yet did not take sufficient steps to safeguard patient data. The plaintiffs additionally claim Aveanna Healthcare was not appropriately checking computer systems that held patient data. If systems were strictly monitored, it would not have taken 6 weeks to identify the data breach.

The plaintiffs assert they now have to deal with an increased risk of identity theft and fraud because data thieves now have their sensitive data. The lawsuit is seeking nominal and compensatory damages for individuals affected by the breach, repayment of out-of-pocket costs, and injunctive relief.

The HHS’ Office of Inspector General (OIG) provided a tactical plan for keeping track of the Department of Health and Human Services’ COVID-19 response and recovery work.

OIG is going to assess HHS’ performance of its mandate to ensure the Americans stay healthy and safe, find out if the HHS systems and data are sufficiently protected, check the efficiency of the HHS response, and review the $251 billion funds released to HHS for the COVID-19 response.

OIG is tasked to monitor HHS activities to improve the economy, functionality, effectiveness, and dependability of HHS programs. OIG said that HHS had a big challenge in delivering medical care and human services to Americans because of the COVID-19. Through audits, risk checking, and data analysis, OIG will evaluate the HHS performance of its COVID-19 response and rescue operation.

The HHS has a responsibility to secure the health and wellbeing of the U.S. population in times of a public health emergency such as the COVID-19 crisis and look after beneficiaries that receive services through the HHS programs. OIG will help the HHS in its current COVID-19 response work and in fighting fraud and scams that put the public and HHS beneficiaries at risk.

OIG will look into cases of fraud and partner with law enforcement to protect the public and beneficiaries of HHS. OIG will likewise examine the results of HHS programs and validate how good the needs of the community and beneficiaries were satisfied. Audits and assessments by OIG will include the following:

• purchases, supervision, and distribution of resources from the Strategic National Stockpile
• manufacturing, authorization, and supply of COVID-19 tests
• research work on COVID-19 vaccine and treatments
• medical care and human services of the HHS

The supervision and enforcement activities of OIG include protecting HHS funds from suspicious activities, squandering and misuse as well as assuring transparent and conscientious spending of HHS. The released $251 billion funding by HHS in May 2020 for the COVID-19 response and recovery work will be reviewed by OIG whether if was managed according to program specifications and reporting requirements. It will look at reports of fraud and abuse that diverted COVID-19 funding from its intended purposes.

Cyberattacks on the HHS and medical organizations increased considerably during the COVID-19 crisis. Nation-states try to obtain sensitive data and intellectual property relevant to SARS-CoV-2 and COVID-19. OIG stated that cybercriminals can target systems used for the COVID-19 response to get sensitive data. It is hence crucial to sufficiently protect the IT infrastructure of HHS, and proactively determine and deal with vulnerabilities.

OIG will also evaluate the ability of the HHS to identify and deal with IT vulnerabilities. It will confirm cybersecurity risks and attacks on the HHS systems. OIG will assist the HHS in creating a secure and robust infrastructure.

Good practices learned {across|during} the COVID-19 pandemic will be used to enhance future HHS programs and get better at preparing for future public health emergencies.

The Washington D.C. data breach notification law’s recent changes became effective on May 19, 2020 . The changes announced in March considerably updated present breach notification conditions. Because the classification of data as personal information had a substantial expansion, breach notifications are warranted when the said personal information are subjected to unauthorized access. In addition, there are new data security requirements.

Before the change, it is required to send notifications when a breach involved exposure of personal information like names, telephone numbers, and addresses combined with a driver’s license number, Social Security number, credit/debit card number or DC ID card, or if breached information included numbers and codes that would permit access to credit or finance accounts.

The change added to the list several other data elements. Now, it is required to send breach notifications in case of exposure of any of the data listed below, even if there’s no name but the information may be employed for identity theft:

• • • Medical facts
    • Medical insurance data
    • Genetic information and DNA profiles
    • Biometric data
    • Usernames or email addresses combined with a password or security questions with answers that could permit account access
    • Passport numbers
    • Military ID numbers
    • Taxpayer ID numbers
    • Other unique ID numbers issued by the government

The D.C. Attorney General’s office should be informed in case of a breach that involves the information of over 50 D.C. residents. The breached entity must issue notifications without unreasonable delay as much as possible. Just like in the state of California, breach notifications are now required in connection with the compromise of the abovementioned information.

The breached entity should also provide free identity theft protection services for a minimum of 18 months to breach victims when their Social Security numbers or taxpayer ID numbers were exposed.

The update furthermore requires all businesses that gather, retain, or process the personal data of D.C. locals to employ and keep reasonable measures to protect personal data. The policies, procedures, and tactics must show the nature and capacity of the entity. In the event that the entity forms a partnership with third-party companies, there must be a service agreement between the two entities to confirm that the third party has reasonable safety standards to protect the confidentiality, availability and integrity of personal data accessed.

There is no need to send breach notifications if the breach involved encrypted data except if the same can be decrypted. Breach notifications are not necessary as well if the breached entity, together with the D.C. Attorney General, finds low risk of harm.

HIPAA-covered entities that comply with the HIPAA Breach Notification Rule are considered compliant with the new breach notification requirements. However, they still need to inform the D.C. Attorney General in case of a data breach. This also applies to entities covered by GLBA and complies with it.

The Indiana Court of Appeals reinstated the respondeat superior claim of a patient who sued Parkview Health System Inc. after a medical assistant accessed her medical records and shared the sensitive information with another individual.

Haley SoderVick filed legal action against the Parkview Health System after she was informed that a medical assistant had accessed her medical information and gave the data to her then-husband. The medical assistant’s husband posted a picture on Facebook that SoderVick liked.

SoderVick visited Parkview Health in October 2017 and went through a medical exam in the OB/GYN department. While she was there, the medical assistant, Alexi Christian accessed her medical records.

Christian sent a text to her husband details about SoderVick, saying she was a patient at the medical facility, shared a potential diagnosis, and shared with her husband that SoderVick was a dispatcher. She additionally said to her husband that SoderVick was HIV-positive and had had about 50 sexual partners, even though both statements were false and that information was not taken from her medical document. Christian stated she was concerned her husband may have known Sodervick when she had liked his posting, and wished to know whether her husband, Caleb Thomas, had had a sexual connection with SoderVick.

The SMS were later read by Thomas’ sister who borrowed Thomas’ mobile phone. She notified Parkview Health about the HIPAA violation and forwarded the SMS, which an investigation that resulted in the dismissal of Christian for the HIPAA violation.

After being informed regarding the HIPAA breach, SoderVick filed a case claiming Parkview health was vicariously responsible for the actions of Christian, that the healthcare organization was negligent for not providing proper training and oversight, and alleged Parkview Health violated its statutory and common-law responsibilities of data protection and privacy as mandated by HIPAA.

Parkview Health asked summary judgment on the statements, which were eventually granted. The trial court determined that Christian’s texts to a third party, whether they comprised truthful data or untrue data about SoderVick, obviously fell beyond the extent of her work with Parkview and, so, Parkview is not vicariously responsible for these acts.

SoderVick appealed the respondeat superior claim and got a majority decision of reversal in the Court of Appeals. In its motion for summary judgment, Parkview asserted there was no real issue of material fact regarding whether Christian was performing in the range of her employment. The COA found that there is a real issue of fact on the range of employment concern; particularly, there is a subject of fact as to whether Christian’s behavior was incidental to accepted employment routines. Therefore, the trial court made a mistake in approving summary judgment favoring Parkview on the respondeat superior claim. That portion of the order was reversed, and there was a remand for further proceedings.

A peculiar data breach at STAT Informatics Solutions, LLC in Waupaca, WI affected lots of healthcare organizations. STAT is the provider of secure medical records services to a couple of healthcare organizations. The services include scanning and saving of paper files in the medical record systems.

On March 3, 2020, a tornado struck a STAT center located in Lebanon, TN. This caused the sizeable ruin of the building as well as a section of the records retained in the property. STAT sent notifications to all affected clients immediately and personnel from those healthcare organizations visited the area to help find and keep the medical records safe within the building.

To regulate the probability of unauthorized access, STAT built a high fence around the perimeter of the building as they find and secure the medical documents. To keep unauthorized persons from going into the building, two security guards were designated to be on site round the clock.

The majority of the medical documents were acquired from what was left of the building, nevertheless the records were determined to be useless and were safely disposed of.

Although it’s likely that unauthorized individuals have viewed some paperwork connected with patients, there’s no proof that there was unauthorized access. STAT is convinced that patients would have no risk of financial harm. However, as a safety provision, patients whose medical records were kept in the building received breach notification via mail and will have credit monitoring services for free.

The medical records stashed at the STAT center included different types of information such as complete names, birth dates, addresses, Social Security numbers, medical record numbers, nursing and doctor notes, medical photos, diagnoses, laboratory test data, prescribed medications, account numbers, and other information typically listed in medical records.

The healthcare businesses that affirmed being affected by the occurrence are the following:

• Poplar Bluff Regional Medical Center, MO (1,619 records)
• Commonwealth Health Moses Taylor Hospital, PA (1,905 records)
• Commonwealth Health Wilkes-Barre General Hospital, PA (518 records)
• Bayfront Health Port Charlotte, FL
• Bayfront Health Punta Gorda, FL

Rave Mobile Safety already released the findings of its annual survey of workplace safety and preparedness conducted early this year. The report examines the emergency preparedness level in healthcare and other sectors throughout the United States. It must be taken into account that the survey was held prior to the declaration of the COVID-19 public health emergency, which most probably prompted a change in priorities in a lot of organizations.

Workplace Safety in 2020

The coronavirus pandemic highlighted the importance of effective communication during emergencies, however, the survey indicates other important reasons for enhancing safety and communication in the place of work. The last time the survey was conducted in 2019, 26 respondents reported incidents of violence in the place of work. This year, those who have encountered violence in their place of work has increased twofold.

The survey revealed that employees are now more conscious about safety. 58% of survey participants mentioned they would submit a safety issue report in the workplace irrespective of whether it could be done anonymously or not; nonetheless, 41% of Gen Z and millennials would just report safety issues when it is done anonymously. This indicates that 18-29-year olds are worried that voicing safety issues would have negative effects.

Although the majority of employers have designed emergency programs, many aren’t performing drills. For instance, 76% of companies have emergency plans for dreadful weather situations, but only 40% performed drills to practice their response in case of an event, although 48% of survey respondents said they had encountered a severe weather condition in the past year. The majority of organizations have created emergency programs for cyberattacks, however, 51% of survey respondents stated drills were not performed to test out those plans. Nearly 30% of employees were uncertain or not aware of their employer’s emergency plans. The least informed were the 18-29-year olds.

Emergency Communications

The variety of methods employed to communicate with workers in emergency cases has grown in 2020. Email continues to be the most popular means of communication and 63% of organizations use it to communicate crisis facts, however, communication means such as mass text messaging have gone up in popularity. Mass texting is currently used by 42% of firms represented in the survey, even though many still depend on out-of-date communication tactics like in-person announcements, which leave out remote workers.

The survey showed that employers are likely to stay with dated communication methods, although employees would like to receive notifications regarding safety and security using a more speedy and easily accessible system, like mass SMS.

Emergency Communication in the Health Industry

The survey disclosed a substantial percentage of healthcare workers were not aware of emergency plans for events like system failures (22%) and active shooters (16%). Whenever there are emergency cases, email was the most frequent way of communication, employed by 65% of healthcare organizations. Intercom systems were additionally frequently used (50%) together with in-person announcements (44%). Although these may be useful on site, they are not effective for speaking with remote workers, who would prefer to get notifications through text message, but only 41% of healthcare companies are using mass text message notifications in emergency conditions. The survey additionally revealed gaps in safety protocols, with 80% of healthcare employees not required to do a safety check-in when working off-site.

The full results of the Annual Workplace Safety and Preparedness Study is available on this link.

Ann & Robert H. Lurie Children’s Hospital of Chicago fired an employee for incorrectly accessing the medical records of patients without authorization for 15 months.

The hospital identified the privacy violations on March 5, 2020 and immediately terminated the employee’s access to hospital systems while conducting the investigation. After going over access logs, the hospital discovered that the employee had viewed the medical records of 4,824 patients without permission from November 2018 to February 2020.

The worker accessed the following types of information: names, dates of birth, addresses, diagnoses, prescribed medicines, visits, and medical procedures. There was no health insurance details, financial data, or Social Security numbers accessed.

There was no reason given as to why the employee accessed the medical records. But the hospital states it believes the employee did not acquire, misuse, or disclose the information to anybody else. The hospital also stated the employee is no longer employed at the hospital.

This is not the first data breach of its type to happen at Lurie Children’s Hospital. There was a similar incident discovered in November 2019. That time, the hospital discovered that a previous employee accessed patient medical records without permission from September 2018 to September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Recently, Mercy Health also took action against an employee for alleged violations of the HIPAA Privacy Rule. Hackley Hospital in Muskegon, MI terminated a nurse on April 3, 2020. The termination happened shortly after the nurse brought up concerns in media interviews regarding the hospital’s level of preparedness for the COVID-19 crisis and how the alleged insufficiency of preparedness put safety at stake. The nurse called the Michigan Nurses Association Labor Union, which said that Mercy Health dismissed the nurse for talking publicly. The Labor Union additionally filed a case with the National Labor Relations Board.

A Labor Union press release issued on April 21, 2020 stated that the termination of Howe on April 3 happened after he had publicly raised concerns concerning the shortage of suitable PPE and the need for improving the screening procedures to protect the nurses and healthcare workers during the COVID-19 pandemic.

10 days following the nurse was dismissed, and one day after the Labor Union’s press release, Mercy Health made a press release stating that the nurse was dismissed because of multiple violations of HIPAA Rules. Mercy Health stated it does not normally share information about job concerns related to its workers but was forced to speak out because of the “misinformation campaign” started by the Labor Union.

Mercy Health states that the nurse, Justin Howe, was dismissed for accessing the medical records of patients over a period of a couple of days. The records were not for patients getting treatment at the area where Howe worked and there was no legit work reason for using those data. Mercy Health states that Howe was not the only nurse dismissed for the improper access of medical records.

As per Mercy Health’s press release, the hospital is monitoring inappropriate access to privileged records. Mr. Howe and others were fired for the same. This investigative effort is still in the works.

Healthcare providers’ compliance with the HIPAA Right of Access has significantly improved, according to the most recent Ciitizen’s Patient Record Scorecard Report.

To make the report, Ciitizen performed a study involving 820 healthcare providers to evaluate each one’s response to the request of patients to get copies of their healthcare data. A wide selection of healthcare providers was assessed for the study including single physician practices and large integrated healthcare delivery systems.

Under the HIPAA Privacy Rule, patients have the right to access a copy of their healthcare data from their providers. The request should be sent in writing. The healthcare provider should provide the patient with a copy of the health data in a specified record set within 30 days from the submission of the request. The data should be made available in the format the patient requested if the PHI can be readily produced in that format. If it is not possible to provide the data in the requested format, the provider must give the patient the healthcare data in print or in an alternative format agreed to by the patient.

For the study, Ciitizen users sent requests for copies of their healthcare data to the healthcare providers. The provider then gets a rating from 1-5 according to their response. A 1-star score represents a non-HIPAA-compliant response. 2-stars are awarded if requests are sooner or later settled satisfactorily, however it took multiple escalations to supervisors. A 3-star rating is awarded when the request is fulfilled with minimal intervention, and a 4-star rating is provided to providers that are completely compliant and gave a seamless response. A 5-star rating is given for providers with a patient-focused procedure who surpass the requirements of HIPAA.

Previous studies revealed that most providers (51%) do not comply with the HIPAA Right of Access. The most recent study saw an improvement of 27%. The percentage of healthcare providers awarded 4-star ratings increased from 40% to 67% and the percentage of healthcare providers awarded 5-star scores increased from 20% to 28%.

Further good news from this year’s study showed that only 6% of the 820 healthcare providers charged patients reasonable fees for producing the records.

In earlier studies, a lot of healthcare providers required patients to sign a standard form, however this year, the majority of providers accepted any kind of written request and did not ask patients to fill up a specific form before processing the request.

The current study had a significant increase in assessments, which may partly be due to the improvements in compliance. There were 51 providers assessed for the Patient Record Scorecard report for the first time, 210 providers for the second time, and 820 for the third time. Ciitizen notes that the percent of non-compliant providers in those studies did correlate with a separate study performed on 3,000 providers, , which indicates that the improvements made are real.

Ciitizen attributes the better compliance rates to three primary factors:

1. More focus has been placed on the right of people to get copies of their healthcare information following the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT published new rules, making it less difficult for patients to request copies of their healthcare information.
2. There is a positive impact on the release of information (ROI) vendors who process the patient data requests on behalf of covered entities so that they comply with the HIPAA Right of Access.
3. The HHS’ Office for Civil Rights started a HIPAA Right of Access enforcement effort a year ago. Since then, two covered entities were issued penalties of $85,000 for failing to comply.

It is also probably because the Ciitizen set up a website that displays the scores of each provider encouraging healthcare providers to follow this vital aspect of HIPAA.

A shareholder of LabCorp is taking legal action against the company and its executives and directors over losing share value that was due to two cyberattacks suffered by the LapCorp in the past 12 months.

LabCorp was badly affected by the data breach that happened in 2019 at American Medical Collection Agency (AMCA), a medical debt collection company. Hackers infiltrated AMCA’s systems and obtained the data of 10,251,784 patients who received LabCorp’s services. The breach affected around 24 of AMCA’s clients.

TechCrunch reported a second data breach at LabCorp in January 2020 that involved 10,000 LabCorp records, which allegedly was not openly disclosed by the firm nor brought up in any SEC filings. The breach was because of a website misconfiguration and allowed the documents to be accessed by anybody. The breach was additionally not reported to the HHS’ Office for Civil Rights, although TechCrunch researchers verified that the data files included patient data.

Raymond Eugenio has shares in LabCorp which lost value due to the data breaches and filed the lawsuit on April 23, 2020 to get back those and other losses. As per the lawsuit, the defendants are LabCorp together with 12 of the company’s executives and directors, such as LabCorp CIO Lance Berberian, director Adam Schechter and CFO Glenn Eisenberg.

The lawsuit claims that previous to the AMCA breach and after, LabCorp was unable to employ appropriate cybersecurity processes and didn’t have adequate oversight of cybersecurity, which directly led to the two data breaches.

In an SEC filing, LabCorp mentioned the company spent $11.5 million for the AMCA data breach in 2019 including remediation fees, however, the lawsuit explains that the amount is simply a fraction of the total losses and does not cover the price of litigation that followed. A number of class-action lawsuits were filed by the AMCA data breach victims named LabCorp hence the shareholders didn’t know about the total losses. The lawsuit additionally states that the second breach has not been recognized publicly or in any SEC filings. Therefore, Eugenio claims that LabCorp was unable to deliver its accountability to its shareholders and breached its responsibilities of loyalty, care, and good faith.

The lawsuit claims LabCorp

• did not put into action efficient internal policies, processes, and controls to safeguard patient information
• there was inadequate oversight of federal and state regulations compliance and its internal policies and procedures
• didn’t have an adequate data breach response plan in place
• offered PHI to AMCA without assurance the company had enough cybersecurity measures set
• did not make sure that the people and entities affected by the breach were found on a regular basis
• did not make enough public disclosures regarding the data breaches

The lawsuit seeks for repayment for damages suffered due to the breaches and public acknowledgment of the January 2020 data breach. The lawsuit likewise requires a reform of corporate governance and internal measures and demands a board-level committee to be created and the assignment of an executive officer to make sure sufficient oversight of data security.

Ambry Genetics, a genetic testing laboratory based in Aliso Viejo, CA, is notifying 232,772 people regarding the exposure of some of their protected health information (PHI) as a result of a recent email security breach. With about 233,000 records, this healthcare data breach is the second largest reported in 2020.

Ambry Genetics identified an unauthorized individual who got access to the email account of an employee between January 22 and January 24, 2020 and most likely viewed and copied the protected health information of its clients. The security staff and third-party computer forensics specialists cannot ascertain the access or theft of any data in the compromised accounts, however, no report was received that suggest the misuse of any personal information.

A review of the email accounts revealed that they contain information such as names, medical data, and other information associated to the services provided by Ambry Genetics. The Social Security numbers of a small number of people were also exposed.

Ambry Genetics took steps to improve security and provided employees further training about email security.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Boss

Arizona Endocrinology Center is notifying 74,122 patients regarding the impermissible disclosure of some of their PHI to another medical group by a physician who left the practice.

Just before Dr. Dwivedi left Arizona Endocrinology Center, he copied patient data and gave away the information to More MD, his new boss. The doctor downloaded from the EHR the following information: patient names, addresses, telephone numbers, medical record numbers, and the primary doctor of patients. Dr. Dwivedi did not obtain any Social Security number, health insurance information, or financial data.

Arizona Endocrinology Center became aware of the incident on February 17, 2020 when patients began reporting that they received text messages from More MD telling them that Dr. Dwivedi had transferred to the medical group. More MD additionally offered its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center informed its patients that it does not have any business partnership with More MD and that Dr. Dwivedi is not working with the practice anymore. Thus, it has been difficult to get assurances that patient information was already removed and won’t be used. The practice mentioned on its website that their patients and their families can contact Dr. Dwivedi and More MD directly to inquire from them regarding their personal information.