Category: HIPAA News

The New Jersey Division of Consumer Affairs has reported a settlement of a data breach investigation that involved violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Regional Cancer Care Associates based in Hackensack, NJ is an umbrella name for three healthcare organizations that manage healthcare facilities in 30 areas in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, certain email accounts of employees were exposed. Employees had responded to targeted phishing emails and revealed their credentials, which granted the scammers to get access to their email accounts as well as the protected health information (PHI) of more than 105,000 people. The email accounts included PHI including names, Social Security numbers, driver’s license numbers, health records, bank account data, and credit card data.

In July 2019, breach notification letters were mailed to 13,047 persons by a third-party provider; nevertheless, the letters were mailed by mistake to the persons’ next-of-kin. The notification letters showed sensitive details like the patient’s medical conditions, such as cancer diagnoses, when permission to disclose that data was not provided by the patients.

In the two cases, the PHI of over 105,000 persons was compromised or impermissibly disclosed, which includes the PHI of about 80,000 New Jersey locals.

According to New Jersey Acting Attorney General Bruck, New Jerseyans fighting cancer must never have to stress about whether their medical care providers are appropriately securing their personal details from cyber threats. Healthcare companies should implement sufficient security measures to protect patient information, and companies that fall short will be held accountable.

Allegedly, the organizations have violated the HIPAA and the Consumer Fraud Act by

• not being able to make sure the confidentiality, integrity, and availability of patient information
• not protecting against fairly expected threats to the security/integrity of patient data
• not implementing security procedures to minimize risks and vulnerabilities to an acceptable level
• not conducting an accurate and extensive risk assessment
• not implementing a security awareness and training course for all members of its workforce.

As per the terms of the settlement, three organizations will pay a financial penalty of $425,000 and have to employ additional privacy and security steps to make certain the integrity, confidentiality, and availability of PHI.

The companies must use and adopt a detailed information security plan, a written incident response plan, and cybersecurity operations center, use a CISO to supervise cybersecurity, carry out initial training for workers and annual training on information privacy and security policies, and acquire a third-party evaluation on policies and procedures associated with the collection, storage, maintenance, transmission, and disposal of patient information.

Division of Consumer Affairs Acting Director Sean P. Neafsey stated that organizations have a responsibility to take purposeful steps to protect protected health and personal data and to avert unauthorized disclosures. The Consumer Affairs investigation showed that RCCA did not completely follow HIPAA requirements, but the firms have decided to enhance their security measures to make sure to secure consumers’ information.

New Jersey is very active in HIPAA enforcement. In the past few months, there were settlements reached with two companies for HIPAA and the Consumer Fraud Act violations. A New Jersey fertility clinic paid a fine of $495,000 in October, and two printing businesses paid a penalty of $130,000 in November.

In March 2021, Broward County Public Schools based in Florida encountered a ransomware attack and its files were encrypted. According to the breach investigation results, unauthorized individuals first gained access to the school network on November 12, 2020. Ransomware was deployed on March 6, 2021. Broward County Public Schools uncovered the ransomware attack on March 7, 2021.

The hackers issued a ransom demand of $40 million in exchange for the file decryption keys, which was afterward decreased to $10 million, however, the school district did not pay. At first, it did not seem like that any sensitive data was obtained in the ransomware attack, however, on April 19, 2021, it was found out that a number of files kept on its systems were stolen the minute they were published publicly on the Conti ransomware group’s data leak website.

Schools aren’t typically covered by the Health Insurance Portability and Accountability Act (HIPAA), thus HIPAA breach notifications aren’t necessary when student information is compromised; nevertheless, in this case, the school district is actually a HIPAA-covered entity because it runs a self-insured health plan.

It was established on June 8, 2021 that certain files acquired by the attackers contained names and Social Security numbers. Further review of the security breach confirmed on June 29, 2021 that the hackers had viewed and possibly stole the protected health information (PHI) of health plan members, which include names, Social Security numbers, dates of birth, and benefits selection details.

Those people are now being advised regarding the breach and probable theft of their information, more than a year after the first breach of its systems and 5 months after discovering that their PHI had been impacted. Chief Communications Officer Kathy Koch explained the delay in sending notifications as due to “a time-consuming analysis of the data that might have been gotten by the unauthorized party.” No cost credit monitoring services are currently being given.

It is uncertain how many persons, all in all, were affected by the breach, nevertheless, the breach report was sent to the HHS’ Office for Civil Rights as impacting 48,684 persons.

A medical biller based in Tampa Bay, Florida has confessed to four counts of aggravated identity theft, four counts of healthcare fraud, two counts of failure to submit a tax return, and one count of submitting a false tax return.

Joshua Maywalt, 40 years old, was employed as a medical biller at a Clearwater firm that offered medical billing and credentialing services to a variety of healthcare company clients in Florida. As a medical biller, he got access to the firm’s financial information, names of the medical provider, and patient data.

Maywalt had worked on the Tampa Bay area doctor’s account and filed claims to Florida Medicaid HMOs for services given by that doctor to Medicaid recipients. Maywalt tampered with the company’s patient data and utilized the name and ID number of the doctor to file fake and fraudulent claims to a Florida Medicaid HMO for healthcare services that Maywalt reported were given by the doctor when they were not. The “pay to” details on the claims for the fictitious healthcare services was modified to account numbers controlled by Maywalt.

Maywalt was unable to submit a tax return in 2017 and 2018 with the Internal Revenue Service and submitted a fake tax return for the 2019 tax wherein he significantly underreported his earnings since he didn’t include the amounts he paid into his bank accounts from his fake billing activities.

Based on the United States Attorney’s Office, Middle District of Florida, Maywalt will surrender $2.2 million in cash and real estate property, which are directly linked to his crimes. He is currently facing a maximum imprisonment term of 53 years, 10 years for every healthcare fraud count, about 3 years for the falsified filing of tax return, about 2 years for every count of inability to submit a tax return, and a compulsory 2 years for every count of aggravated identity theft. The sentences for aggravated identity theft will be enforced consecutively.

The Department of Health and Human Services’ Office of the Inspector General, the Florida Attorney General’s Medicaid Fraud Control Unit, the Federal Bureau of Investigation, and the Internal Revenue Service – Criminal Investigation investigated the case.

The HHS’ Office for Civil Rights (OCR) is carrying on with its implementation of the HIPAA Right of Access compliance and has lately published another 5 financial penalties. The HIPAA Right of Access enforcement effort was introduced in the autumn of 2019 as a resolution to a substantial number of reports from patients who didn’t obtain quick access to their health files.

The HIPAA Privacy Rule demands covered entities to give people access to their health care files. A copy of the medical records must be given in 30 days after the request is submitted, but a 30-days extension can be given in some instances. HIPAA-covered entities are authorized to bill patients for the copy of medical data, however, they may just demand a fair, cost-based rate. Labor costs are simply allowed for duplicating or otherwise producing and sending the PHI right after it has been identified.

The enforcement steps thus far were not enforced for billing excessive sums, just for impermissibly declining to give a copy of the required documents or for unnecessary slowdowns. In a number of cases, patients needed to wait several months before they received a copy of their data.

Based on the most current announcement of OCR, there are up to 25 HIPAA Right of Access enforcement actions released with the 2019 enforcement project.

In the 5 new cases listed, OCR confirmed the healthcare companies violated 45 C.F.R. § 164.524 and did not provide prompt access to protected health information (PHI) regarding the person after getting a request.

Advanced Spine & Pain Management, a healthcare company providing chronic pain-connected medical services in Cincinnati and Springboro, OH, decided to resolve OCR’s investigation and paid for the financial fine. OCR is going to keep track of the provider’s compliance with its corrective action plan for two years. The investigation was prompted by a complaint by a patient who asked for his medical documents on November 25, 2019, however failed to acquire the records up to March 19, 2020.

Denver Retina Center located in Denver, CO, a provider of ophthalmological services, settled its case with OCR and made payment for a $30,000 financial penalty. It will be monitored for compliance with its corrective action plan for 12 months. A patient stated she had requested her medical documents in December 2018 but did not get a copy of her data until July 26, 2019. OCR had provided technical support to the healthcare organization following getting an earlier HIPAA Right of Access complaint from the same patient and closed the case. When proof was obtained concerning continued failure to comply the case was re-opened. OCR established that besides the delay, Denver Retina Center had access policies and protocols that did not comply with the HIPAA Privacy Rule, as demanded by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock) based in Eugene, OR, a residential eating disorder treatment services provider, resolved OCR’s investigation and paid a $160,000 financial penalty and is going to be supervised if complying with the corrective action plan for a year. OCR received three patient complaints about not receiving the requested copy of her health information. The patient asked for a copy of her documents on October 1, 2019, and November 21, 2019, and didn’t get the requested information until May 22, 2020.

Wake Health Medical Group located in Raleigh, NC, primary care and other health care services provider, resolved OCR’s investigation and made a payment of $10,000 as a financial fine and will implement corrective action to avoid other HIPAA Right of Access violations. OCR got a patient complaint after the patient asked for a copy of her medical information on June 27, 2019 and paid a flat fee of $25, which is the normal cost charged by Wake Health Medical Group for giving copies of health documents. By the date of the settlement, the patient still did not receive the requested information.

Cardiovascular disease and internal medicine doctor Dr. Robert Glaser from New Hyde Park, NY didn’t cooperate with OCR at the time of the investigation, though didn’t argue the results and waived his right to a hearing. OCR imposed a civil monetary penalty of $100,000. An investigation was launched right after getting a complaint from a former patient who stated he had submitted several written and verbal requests for a copy of his medical documents between 2013 and 2014. The complaint was sent to OCR on November 9, 2017, which was closed by OCR on December 15, 2017, subsequent to telling Dr. Glaser to check the complaint and deliver the asked for documents if the requests were consistent with the HIPAA Right of Access. The patient submitted a further complaint to OCR on March 20, 2018, and furnished evidence of more written requests. OCR tried to get in touch with Dr. Glaser on a number of occasions by letter and phone, nevertheless, he repeatedly did not respond, therefore the decision to issue a civil monetary penalty.

Upstate Homecare, Consociate Health and Sarasota MRI, and have recently alerted regulators and patients regarding security incidents affecting their personal data and protected health information (PHI).

Upstate Homecare Informs 5,100 Patients Regarding Ransomware Attack

The home healthcare provider based in Albany, NY, Upstate Healthcare, has informed 5,114 patients concerning a recent ransomware attack whereby patient information was stolen.

The breach notification letters did not state clearly when the attack occurred; nevertheless, a third-party cybersecurity company conducted an investigation and determined on November 4, 2021 the theft of patient data and the posting of the information to a data leak website on the darknet.

The stolen information included full names, email addresses, physical addresses, dates of birth, telephone numbers, driver’s license numbers, Social Security numbers, bank account details, treatment data, patient ID numbers, physicians’ names, and Medicaid/Medicare numbers.

After the attack, Upstate Healthcare carried out a thorough evaluation of its security measures and has put in place extra safeguards to better secure its systems and data against pending attacks. Affected people were alerted on November 24, 2021, and received offers for complimentary access to identity theft monitoring and restoration services.

Sarasota MRI Alerts Patients Concerning Potential PHI Compromise

Sarasota MRI located in Florida has begun notifying selected patients regarding the likely breach of some of their protected health information. In late July 2020, a third-party, unaffiliated cybersecurity agency contacted Sarasota MRI to inform it about the misconfiguration of its servers, which permitted the access of information on the server.

It was confirmed that the affected server was not in use and information had been transferred to another server. In addition, an evaluation of the server showed no evidence that suggests access by unauthorized persons, apart from the security firm that discovered the wrong configuration.

Nonetheless, because it wasn’t possible to exclude the exposure of individuals’ names, birth dates, health data, and medical photos, affected persons are now being informed. Based on the breach notification letter sent to the Vermont attorney general last November 12, 2021, Sarasota moved immediately to repair the problem and performed an investigation into a possible breach, and took action to protect its systems.

Consociate Health Detects Breach at Employee Benefits Plan Administrator

Consociate Health, a company providing employee benefits programs and plan administration services, has just finished a 10-month investigation into a data breach impacting the PHI of 982 people. The investigation revealed the breach just impacted the PHI of persons from January 1, 2014, through December 31, 2015.

The types of information exposed included names, addresses, dates of birth, diagnosis codes, medical record numbers, medical insurance data, medical record data, and Social Security numbers.

There was no proof found that suggests the misuse of any PHI has however, as a safety measure, affected people got 12-months free access to identity theft monitoring services.

Three Rivers Regional Commission, Retinal Consultants Medical Group, and ACE Surgical Supply have recently reported cyberattacks whereby unauthorized individuals may have obtained the protected health information (PHI) of patients.

11,603 Retinal Consultants Medical Group Patients Affected by Hacking Incident

Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, states it encountered a sophisticated cyberattack that was discovered on or around July 12, 2021 and resulted in a service disruption.

Vitreo-Retinal Medical Group hired third-party cybersecurity specialists to help re-establish its systems and inspect the nature and magnitude of the attack. Although the investigation confirmed that unauthorized people had acquired access to its computer network, it did not say if the unauthorized individual accessed or exfiltrated any PHI. No report was obtained that suggests actual or attempted patient data misuse.

A thorough manual and programmatic evaluation of the affected systems affirmed the potential compromise of the following types of sensitive information: name, address, date of birth, medical problem or treatment details, medical record number, patient account number, diagnosis code, Medicaid/Medicare data, name of treating physician, health insurance details, and username/password. The Social Security numbers of a limited number of patients were also kept on the impacted systems.

Vitreo-Retinal Medical Group reports that third-party cybersecurity specialists were helping with the analysis of its security systems and extra measures will be put in place, as needed, to enhance data security.

The medical group sent notifications to the affected persons starting on November 9, 2021, and complimentary credit monitoring services were given where necessary.

2,000 Patients Impacted by Three Rivers Regional Commission Ransomware Attack

The regional planning organization located in Griffin, GA, Three Rivers Regional Commission, has found out that unauthorized persons may have obtained the PHI of about 2,000 people due to a ransomware attack.

The attack was discovered on July 20, 2021, when staff members could not access its computer systems. Third-party cybersecurity professionals assisted Three Rivers Regional Commission to find out whether the attacker acquired access to its systems between July 18, 2021 and July 20, 2021 and prior to deploying ransomware, exfiltrated files that contain sensitive records.

The forensic investigation is not yet over and breach notification letters will be sent to the impacted persons upon identification of their identities and contact data. At this period, these types of details are considered to have been exfiltrated in the attack: Name, Social Security number, address, driver’s license number, and medical data, such as diagnosis and treatment details, lab test results, medicines, and Medicare/Medicaid ID numbers.

Three Rivers Regional Commission stated it is using extra administrative and technical safeguards to safeguard the records in its systems.

Cyberattack on ACE Surgical Supply Affects 12,122 People

ACE Surgical Supply based in Brockton, MA has learned that an unauthorized person has accessed its IT environment and may have viewed or acquired the protected health information of 12,122 people.

The attacker accessed its IT systems on June 29, 2021. The breach was identified the same day. The investigation affirmed that the impacted systems held personal information as well as financial account numbers, debit/credit card data, and details that could possibly permit account access.

ACE Surgical Supply mentioned affected persons were provided two-year credit monitoring and identity theft protection services for free.

Hackers potentially obtained the protected health information (PHI) of more than 650,000 patients of Community Medical Centers (CMC) based in California.

CMC is a not-for-profit network of community health centers that serve patients in the Solano, San Joaquin, and Yolo counties in Northern California. CMC noticed suspicious activity in its computer systems on October 10, 2021, and de-activated its systems to stop further unauthorized access. An investigation was begun to know the nature and magnitude of the breach, with support provided by third-party cybersecurity specialists.

The forensic investigation affirmed that unauthorized people had obtained access to areas of its network where protected health information was saved, which include first and last names, dates of birth, mailing addresses, Social Security numbers, medical data, and demographic details.

Because of the sensitive nature of the compromised data, CMC is giving complimentary identity theft protection, identity theft resolution, and credit monitoring services to affected persons. CMC mentioned it has affirmed its systems are now secure, policies and protocols have been evaluated and updated to enhance security, and information management policies were examined and updated.

CMC has notified law enforcement about the breach, including the appropriate state attorneys general and the Department of Health and Human Services.

The breach report sent to the Maine attorney general states that the PHI of 656,047 people were possibly exposed.

Professional Healthcare Management Suffers Ransomware Attack

Professional Healthcare Management (PMH) has started sending notifications to some patients regarding the potential compromise of some of their PHI in a ransomware attack that happened in September 2021.

PMH discovered the attack on September 14 and quickly took action to secure its servers and workstations. Third-party cybersecurity and incident response professionals helped PMH to promptly protect and reestablish its networks and operations. The healthcare provider conducted an investigation to find out the nature and extent of the breach and confirmed that hackers potentially obtained the personal data and PHI of patients.

The breach investigation is ongoing however, at this point, no evidence of patient data theft or misuse has been identified; nevertheless, notification letters are currently being delivered to impacted persons and the incident report was sent to the HHS’ Office for Civil Rights.

PMH said the following types of patient information were likely compromised: Social Security numbers, first and last names, health insurance details (Medicaid number, Medicare number, and insurance identification number), diagnosis code(s), and prescription name(s).

Further safeguards are being put in place to enhance IT security, cybersecurity guidelines, and protocols are being modified, and extra cybersecurity training was given to the employees.

The hacker behind the unauthorized access to the University of Pittsburgh Medical Center (UPMC) data storage and theft of the W-2 details and personally identifiable information (PII) of around 65,000 UPMC workers has been presented with the maximum punishment for the violation and will be in prison for 7 years.

Sean Johnson, from Detroit, Michigan, otherwise known as TheDearthStar and Dearthy Star – hacked into the UPMC data bank in 2013 and 2014 and took highly sensitive details. Then he offered for sale the stolen information on dark web hacking sites. Identity thieves utilized the data to file bogus tax returns in the names of UPMC workers. The Department of Justice (DOJ) additionally alleged Johnson performed more cyberattacks between 2014 and 2017 and stole the PII of another 90,000 persons. Those sets of records were likewise marketed to identity thieves on dark web sites.

A total of $2.2 million fake tax returns were registered and approximately $1.7 million was paid out by the IRS. The money gotten were changed to Amazon gift cards and were utilized to order high-value merchandise that were transported to Venezuela.

Three co-collaborators of Johnson were detained and charged for their part in the UPMC attack. In August 2016, Cuban Yolandy Perex Llanes was deported to America. In April 2017, he pleaded guilty to doing cash laundering and aggravated identity theft. He also got sentenced to 6 months in jail in 2017.

In April 2017, Justin A. Tollefson from Spanaway, Washington pleaded guilty to committing four counts of utilizing the compromised identities of UPMC staff members to file fake tax returns. He had purchased the PII on a dark website and employed the information to submit bogus tax returns using the names of 4 UPMC staff. $56,333 was disbursed by the IRS in income tax refund amounts, nevertheless, Tollefson was busted before he had gotten any money. The judge was easygoing as Tollefson hadn’t profited from the theft and penalized him to three years of probation in 2017.

Maritza Maxima Soler Nodarse, a citizen of Venezuelan, pleaded guilty to doing conspiracy to deceive the United States in July 2017 for her part in the identity theft and tax fraud criminal acts. She was given a 16-month sentence in jail and was repatriated to Venezuela.

Johnson got the maximum sentence even after pleading guilty to the hacking offenses as a result of the degree of the offenses and the consequence they had on the victims. Chief United States District Judge Mark R, Hornak explained Johnson’s actions were dreadful to victims and his hacking work exhibited no consideration for them. “The actions of hackers just like Justin Johnson can have long-term and damaging consequences on innocent individuals.

Johnson was punished to spend 5 years in prison for the conspiracy to con the U.S. charge and a compulsory 2-year sentence for aggravated identity theft, with the sentences to go one after another.

The information stolen by Justin Johnson consists of the names, addresses, Social Security numbers, and salary data of countless UPMC personnel. He sold that personal data on the dark website so that other scammers could additionally take advantage of his victims. Today’s sentence sends a dissuasive message that hacking has really serious penalties.

New legislation was created that calls for ransomware attack victims to reveal any ransom payments made to the attackers to the Department of Homeland Security (DHS) in 48 hours after paying the ransom.

Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) introduced the Ransom Disclosure Act. The bill aims to give the DHS the information it needs to look into ransomware attacks and enhance information about how cybercriminal enterprises work, therefore permitting the DHS to obtain a better idea of the ransomware threat experienced by the United States.

From 2019 to 2020, ransomware attacks increased by 62% globally, and by 158% in America. The Federal Bureau of Investigation (FBI) had gotten 2,500 complaints concerning ransomware attacks in 2020, 20% higher compared to the earlier year and $29 million more reported losses because of ransomware attacks in 2020. Not all ransomware attacks are documented. A lot of victims decide to silently pay the hackers to get the keys to decrypt their files and avoid the public disclosure of any breached data in the attack.

Chainalysis thinks ransomware gangs globally got paid about $350 million in cryptocurrency in 2020, which is increased by 311%. Attacks have persisted to increase in 2021. As per Check Point’s mid-year security report, the first half of 2021 had 93% more ransomware attacks than the equivalent time period last year.

Just as the ransomware attack on Colonial Pipeline showed, the people behind these attacks present a considerable national security danger. That attack led to the closure of a big fuel pipeline for about a week. The attack on JPS Foods impacted food production, and the big number of attacks on the healthcare sector has affected the capability of healthcare providers to provide treatment to patients. This year, CISA stated ransomware attacks slow down care and impact patient outcomes, and there was a fatality in the U.S. which is claimed to have been because of a ransomware attack.

Ransomware attacks continue to go up considering that they are profitable and provide ransomware groups and their affiliates a very good profit. There is also little threat of being captured and brought to courts. Sadly, investigations of ransomware gangs may be hampered by insufficiency of information, therefore the intro of the Ransom Disclosure Act.

Although the FBI prompts the ransomware attacks reporting to help investigations, it is not obligatory. Sad to say, since victims are not mandated to report ransomware attacks or payments to federal authorities, the vital data required to understand these cybercriminal groups is lacking to deter these intrusions, stated Congresswoman Ross. This law will implement crucial reporting requirements, which include the amount of ransom demanded by the attackers and paid, and the type of currency employed. The U.S. can’t continue to battle ransomware attacks without knowing this information.

The Ransom Disclosure Act will necessitate:

• Ransomware victims (except individuals) to make known any ransom payments in 48 hours after making the payment, which includes the amount, currency utilized, and any details that were collected on the entity demanding the ransom.
• The DHS will need to publish data compromised during the prior year concerning the ransoms paid, excluding identifying data related to the entities who paid.
• The DHS will have to create a website for persons to voluntarily report payments of ransom.
• The Secretary of Homeland Security will be asked to perform research on commonalities among ransomware attacks and the magnitude to which cryptocurrency was needed the attacks, and give recommendations for safeguarding information systems and boosting cybersecurity.

The Department of Health and Human Services’ Office for Civil Rights has given guidance to instruct people regarding the application of the Health Insurance Portability and Accountability Act (HIPAA) Rules to disclosures of COVID-19 vaccination status data and requests from persons regarding whether a man or woman has received vaccination against COVID-19.

OCR pointed out in the guidance that HIPAA is applicable to HIPAA-governed entities. HIPAA-covered entities refer to the healthcare providers, health plans, and healthcare clearinghouses that carry out routine electronic transactions, and business associates of those entities that get access to or use protected health information (PHI). OCR informed the public that the HIPAA Privacy Rule doesn’t apply to employers or employment data. That comprises details accumulated or kept by HIPAA-governed entities in their capacity as an employer.

OCR discussed how HIPAA is applicable to COVID-19 vaccination details in specific scenarios by means of a website Q&A and says:

The HIPAA Privacy Rule can’t forbid businesses or men and women from inquiring if their customers or clients have acquired a COVID-19 vaccine. Persons who are employed at a HIPAA-covered entity or business associate are not banned from questioning if somebody has been given a vaccine.

The HIPAA Privacy Rule won’t stop customers or clients of an organization from revealing whether or not they have gotten a COVID-19 vaccine.

The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.

The HIPAA Privacy Rule doesn’t hinder a covered entity or business associate from demanding its staff members to reveal to their employers or other persons whether or not the staff members have acquired a COVID-19 vaccine.

OCR has established that, normally, the HIPAA Privacy Rule discourages a doctor’s office from sharing a person’s PHI, such as COVID-19 vaccination data, to the patient’s company or other parties. Such disclosures are permitted if in keeping with other rules and appropriate ethical principles, for example disclosing to a health plan to get paid for providing the vaccine and sharing of such data to public health authorities.

OCR spelled out that there are instances when a HIPAA-covered healthcare facility is granted to disclose PHI pertaining to a patient’s vaccination condition to the person’s boss.

This is solely possible to enable the workplace, to perform an analysis associated with medical monitoring of the workplace (e.g., surveillance of the spread of COVID-19 in the labor force), or to examine if the person has a work-connected health issue. In such circumstances, disclosures are merely authorized if all the subsequent conditions are satisfied:

The covered hospital is giving the health care service to the man or woman as requested by the individual’s boss or as a fellow member of the employer’s employed pool.

The PHI that is shared involves results about work-associated health issues or workplace-linked medical monitoring.

The company needs the information so as to follow its commitments under the appropriate governing bodies of the Mine Safety and Health Administration (MSHA), the Occupational Safety and Health Administration (OSHA), or state legislation with the same goal.

The covered health care company presents written notice to the patient that the PHI linked to the medical monitoring of the work area and work-connected ailments will be revealed to the manager.

This guidance is being issued to support individuals, organizations, and health care entities to know when HIPAA can be applied to disclosures about COVID-19 vaccination state and to make certain that they already have the details they need to have to make well-informed judgments concerning securing themselves and other individuals from COVID-19.

Lisa J. Pino is now the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR). She replaced Robinsue Frohboese, who was the acting OCR Director after the resignation of Roger Severino in the middle of January.

It is the primary responsibility of OCR to ensure that covered entities comply with the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification Rules, Patient Safety Rule, and the Patient Safety and Quality Improvement Act, in addition to the enforcement of federal civil rights, conscience, and religious freedom legislation.

Pino from New York City speaks Spanish and is the first-generation daughter of immigrant parents. She finished her B.A., M.A., and J.D. at Arizona State University with honors. Then, she took a leadership program at Harvard Kennedy School as a National Hispana Leadership Institute Fellow.

Pino was a legal aid lawyer in the Southwest, fighting for migrant farm workers’ rights. Her civil rights activities continued as she worked for the United States Department of Agriculture (USDA) as USDA Deputy Assistant Secretary for Civil Rights and USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP).

While working at the USDA, Pino drafted USDA’s first gender identity anti-discrimination program rules as well as its first USDA limited English proficiency guidance. She played a major role in making sure that minority farmers get their benefits granted via class action settlements with her guidance of the outreach and engagement activities of the USDA.

Pino was also a senior executive service appointed by President Barack Obama and worked as Senior Counselor at the U.S. Department of Homeland Security (DHS). There, she took a major function in the mitigation of the biggest federal data breach ever, the hacking of the information of 4 million federal employees and 22 million surrogate profiles in 2015, by negotiating again the 700 vendor procurements and the setting up of new cybersecurity regulatory program.

Lately, Pino worked as New York State Department of Health’s Executive Deputy Commissioner, which is the agency’s second top executive position. During this time, Pino led the New York’s operational COVID-19 pandemic response and the program development for Medicare, Medicaid, Nutrition Program for Women, Infants, and Children (WIC), Wadsworth Laboratories, Hospital and Alternative Care Facility, AIDS Institute, Center for Environmental Health, and Center for Community Health.

Lisa is an outstanding public servant. Her range of experience and administration expertise, in particular her work in improving civil rights laws and policy at the U.S. Department of Agriculture (USDA) at the time of the Obama-Biden Administration, is going to help make sure that the rights of each individual throughout the country are protected.

Resource Anesthesiology Associates (RAA) of California has begun informing a number of patients of Mercy Hospital Southwest and Dignity Health’s Mercy Hospital Downtown about the theft of a laptop computer that contains some of their protected health information (PHI).

RAA of California is a provider of anesthesiology services at Dignity Health hospitals, which involves getting access to patient information. On July 8, an RAA of California administrator’s laptop computer was stolen. RAA already reported the theft to law enforcement, however, the device is not yet retrieved.

RAA of California carried out an investigation to find out which patient data was saved on the laptop and can possibly be viewed. The review affirmed that these types of data were saved on the laptop: Names, addresses, birth dates, names of providers, dates of service, diagnoses and treatment data, medical insurance data, and other data associated with patients’ health care.

The laptop computer has password protection, which gives it a level of security against unauthorized access. Nevertheless, passwords could be guessed, therefore there is a chance that data on the laptop computer can be accessed by unauthorized persons. RAA of California stated that currently there is no proof identified that suggests the access or misuse of any data saved on the laptop computer.

RAA of California is convinced there is a low risk of patient data misuse, but, as a safety precaution, it is giving impacted persons a free membership to identity theft protection services via IDX. Patients will get a year of CyberScan monitoring and are covered by a $1 million identity theft insurance policy, which comes with completely managed identity theft recovery services.

Jackson Health is investigating a privacy violation after photos of a baby that has a birth defect were posted on Facebook by a nurse.

A nurse who was employed in the neonatal intensive care unit at Jackson Memorial Hospital shared two pictures on Facebook of a baby having gastroschisis – an uncommon birth defect of the abdominal wall that could make the intestines stick out from the body. The pictures included the captions, “Your intestines posed (sic) to be inside not outside baby! #gastroschisis” and “My night was going great then boom!” The troubling photos were published on accounts that belong to Sierra Samuels.

The sharing of images of patients on social platforms without authorization is a serious violation of patient data privacy. Pictures of patients are considered as protected health information (PHI) and publishing pictures on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) except if prior consent is acquired from the patient.

HIPAA calls for healthcare organizations to provide privacy policy training to personnel. Training should be given within a sensible time frame after a staff joins a covered entity’s staffing and training need to be routinely reinforced. The best practice is to give refresher HIPAA privacy instruction yearly. A sanctions policy should also be created and enforced that clearly states the sanctions workers will deal with in case they violate the HIPAA Laws.

After being informed about the social media posts Jackson Health started an investigation into the privacy breach and quickly placed the nurse on administrative leave impending the outcome of the investigation. Safeguarding patient privacy is the first concern at Jackson Health System. Any probable privacy breach is taken seriously and carefully investigated, stated a Jackson Health spokesperson. Jackson Health additionally confirmed that when staff break patient privacy, in spite of the training, they will be under disciplinary action which may include suspension or dismissal.

The 20th financial penalty under the HIPAA Right of Access enforcement initiative has been issued by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Pediatric care provider Children’s Hospital & Medical Center (CHMC) based in Omaha, Nebraska, was required to pay a penalty fee of $80,000 to resolve an alleged HIPAA Right of Access violation and to perform a corrective action plan to take care of the non-compliance found by OCR. OCR will check CHMC’s compliance for one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act provided persons the right to get a copy of their protected health information (PHI) saved by a HIPAA-covered entity, and for parents and legal guardians to acquire a copy of the healthcare data of their minor children. HIPAA-covered entities should give the requested documents within 30 days and may only impose a reasonable cost-based fee for furnishing copies. On several occasions, covered entities could get a 30-day extension, making the maximum time frame for giving the files 60 days from the date the request is gotten.

If people feel their HIPAA rights were violated, they are unable to take legal action against a HIPAA-covered entity regarding the HIPAA violation, nevertheless, they can report a complaint to OCR. In this case, OCR received a complaint from a parent who stated CHMC did not provide her prompt access to her young daughter’s health data.

CHMC got the parent’s request and gave some of her daughter’s medical information but failed to deliver all the requested records. The parent likewise made a few follow-up requests to CHMC. OCR reviewed the incident and confirmed the parent’s request for a copy of her late daughter’s health information on January 3, 2020. A few of the requested files were furnished; nevertheless, the remaining data needed to be acquired from some other CHMC division. A number of the remaining files were delivered on June 20, 2020, with the remainder presented on July 16, 2020. OCR established that this was a HIPAA Right of Access – 45 C.F.R. § 164.524(b) violation.

Aside from the financial charges, CHMC needs to review and update its guidelines and procedures connected to the HIPAA Right of Access, present the policies to OCR for evaluation, and deliver the approved policies to the staff and make certain training is made available.

In general, HIPAA necessitates covered entities to give parents timely access to their minor children’s medical data, if the parent is the child’s personal representative, stated Acting OCR Director Robinsue Frohboese. OCR’s Right of Access Initiative sustains patients’ and personal representatives’ essential right to their health information and highlights the benefit of all covered entities’ conformity with this vital right.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) demands covered entities and business associates to give notices to the HHS’ Office for Civil Rights (OCR) regarding data breaches and healthcare companies are furthermore directed to abide by state data breach notification regulations.

A lot of states have launched their own data privacy regulations, which usually demand the sending of notifications to the proper state Attorneys General in case a data breach surpasses a specific limit. States are permitted by law to bring civil actions against healthcare companies that fall short to send breach notifications as required by both HIPAA and state rules. In California, the restriction for reporting breaches is consistent with HIPAA. In case a data breach is encountered that affects 500 and up California citizens, the California Department of Justice (DOJ) should be informed.

A short while ago, there were a number of occasions where the California DOJ was not advised concerning ransomware attacks on California healthcare establishments, even if the personal and protected health information (PHI) of California locals has possibly been exposed during an attack.

California Attorney General Rob Bonta has lately given a bulletin instructing all entities that keep the confidential health-linked data of California citizens of their accountabilities to report data breaches as required by the California law (Civil Code section 1798.82). When there is a breach of the health information of 500 or higher California residents, it is required to send a breach report to the Office of the Attorney General. After that, California DOJ publishes the breach announcement on its web page to make sure the general population is aware of the breach to permit victims to take proper action to secure themselves against identity theft and fraud. Personal notices should additionally be given to impacted people.

Timely breach notice helps impacted people offset the possible losses that might occur because of the bogus use of their personal data acquired from a breach of health information. Consequently, it is essential for providers of health care to be proactive and cautious regarding decreasing their risk for ransomware attacks and to fulfill their health data breach notification responsibilities to safeguard the public.

In the bulletin, Attorney General Bonta additionally advised healthcare companies to take proactive actions to safeguard patient records against ransomware attacks.

State and federal health data privacy frameworks, such as the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), require healthcare entities and companies that deal with health information to determine suitable processes to make certain the privacy of health-related details, such as security measures that could help avoid the infection of malware, like ransomware, to secure consumers’ healthcare-associated data from unauthorized use and disclosure.

Healthcare institutions are urged to take the listed proactive measures:

• Update operating systems and software keeping health information
• Use security patches immediately
• Set up and keep antivirus software updated
• Provide regular data security training to workers, which include instruction concerning phishing attacks
• Limit users when downloading, installing, and running uncertified software programs
• Maintain and routinely check the data backup and recovery program for all critical data

Memorial Health System based in Marietta, OH was compelled to reroute emergency care because of a supposed ransomware attack.

When the cyberattack happened, the health system was forced to power down IT systems to control the attack. Emergency procedures were enforced as a result of the inability to access vital IT systems, and the employees are using paper charts.

Memorial Health System runs three hospitals in Ohio and West Virginia, all were affected by the attack. Because electronic health records were not accessible, patient safety was possibly put in danger, therefore the decision was taken to move emergency patents.

Memorial Health System will still admit: patients with STROKE, STEMI, and TRAUMA at Marietta Memorial Hospital. Belpre and Selby are on diversion for all patients as a result of the availability of radiology. It is best for all other hospital patients to be taken to the closest accepting facility. If all area hospitals are on diversion, patients will be moved to the emergency section close to where the emergency took place. This diversion will be ongoing until IT systems are re-established.

All urgent surgical sessions and radiology exams the following day were delayed; nevertheless, all primary care consultations are proceeding as planned, though patients with bookings were advised to give a call ahead of time to confirm.

Memorial Health System President and CEO Scott Cantley stated that preserving the safety and security of patients and their proper care is the company’s top priority and they are doing everything they can to limit disruption. Staff at the Selby, Marietta Memorial, and Sistersville General Hospital are utilizing paper and pen while systems are being fixed, and data retrieved.

The hospital system launched an investigation into the breach, however, it is too soon to know how much data, if any, were exposed in the attack. Memorial Health System officials stated they were no evidence found yet that indicates the attackers got employees or patient information. IT experts are presently systematically investigating the breach to find out exactly how hackers acquired access to its systems, the actions they took as soon as access was obtained, and which systems and files they viewed or obtained.

The cyberattack report was submitted to the FBI and the Department of Homeland Security, and the health system is working closely with its information technology partners to reestablish its systems and data as soon as possible.

Bleeping Computer has apparently seen proof showing the Hive ransomware threat group was accountable for the attack. Like a lot of other ransomware operations, the Hive ransomware gang is recognized for stealing information prior to utilizing ransomware and has a leak web page that is used to compel victims into paying the ransom demand.

Bleeping Computer says proof was acquired suggesting databases that contain the protected health information (PHI) of about 200,000 patients were stolen in the attack, with the databases included names, Social Security numbers, and dates of birth.

Patients and employees at a number of nursing and rehabilitation centers located in Illinois are being informed about the potential compromise of some of their protected health information (PHI) due to a cyberattack on Dynamic Health Care, Inc.

Dynamic Health Care offers administrative, consulting, and back-office services to nursing and rehabilitation establishments in Illinois that need access to selected staff and patient information. On November 8, 2020, Dynamic Health Care found out that malware was installed on a number of computers inside its network. The malware incident was investigated to identify the complete nature and extent of the incident.

Dynamic Health Care stated that an unauthorized person got access to its network from November 8, 2020 to January 7, 2021. During that time when the attacker had access to the network, the attacker possibly read or obtained data concerning employees and nursing home residents at facilities such as Waterfront Terrace, Woodbridge Nursing Pavilion, Bridgeview Health Care Center, Ottawa Pavilion, Willow Crest Nursing Pavilion, and River North of Bradley Health & Rehabilitation Center.

A thorough analysis was done of all records on the impacted computers, which affirmed the exposure of sensitive data. The types of data likely breached in the attack differed from person to person and might have contained name, birth date, Social Security number, name of treating nursing care facility, dates of admission and/or discharge, and resident ID number.

Dynamic Health Care has sent breach notification letters to all persons impacted by the incident. Dynamic Health Care reported that it had implemented strict security procedures to secure all data in its keeping, however, these procedures have already been toughened right after the breach. Employees got more training and education to help avoid other breaches later on.

Overlake Hospital Medical Center based in Bellevue, WA has presented a settlement to deal with a class-action lawsuit it is facing. Victims of a data breach in December 2019 filed a lawsuit because of the exposure of the patients’ demographic information, medical insurance information, and health data.

The breach occurred because of a phishing attack that was identified on December 9, 2019. The investigation revealed that unauthorized people acquired access to the email accounts of a number of employees. One of the email accounts was compromised between December 6, 2019 and December 9, 2019, and the others were compromised on December 9 for a few hours.

The investigation failed to find evidence of theft or misuse of patient information, however, it was not possible to rule out unauthorized access to protected health information (PHI) and data exfiltration. The PHI of approximately 109,000 patients was in the compromised email accounts.

Affected persons were informed about the breach starting on February 4, 2020 and Overlake Hospital Medical Center took a number of steps to enhance security, including employing multi-factor authentication, altering email retention policies, and providing additional training to workers. Overlake Hospital Medical Center spent $148,590 on upgrades to strengthen security since the breach occurred and has decided to do more tweaks totaling $168,000 annually for the following 3 years.

According to the Richardson V. Overlake Hospital Medical Center lawsuit filed in the Superior Court of King County in Washington, Overlake Hospital was negligent for failing to stop unauthorized people from obtaining systems access. The lawsuit additionally alleged intrusion upon seclusion/invasion of privacy, breach of confidence, breach of express contract, breach of fiduciary duty, and breach of implied contract. Although 109,000 persons were advised regarding the breach, only 24,000 people are included in the class since all other patients did not have their PHI breached.

The lawsuit stated the hospital didn’t employ reasonable safeguards to protect the privacy of HIPAA-covered information and did not give enough notice concerning the data breach. Overlake Hospital Medical Center has rejected all claims stated in the lawsuit and all charges of wrongdoing. The option was made to resolve the lawsuit with no admission of liability.

Under the stipulations of the settlement, two types of claims may be submitted. Class members are eligible to claim as much as $250 for specific out-of-pocket expenses sustained due to the breach, such as bank fees, phone calls, postage fees, fuel for local travel, and around three hours of documented time at $20 hourly, provided a minimum of one full hour was expended on mitigations. It is likewise possible to get the cost of credit report fees, and credit monitoring and identity theft protection services applied from February 4, 2020 to the date of the Court’s preliminary approval of the settlement.

Claims for extraordinary expense refund could be submitted for as much as $2,500. These claims should include proof of losses that were more probable than not suffered because of the breach between December 1, 2019 and the end of the claim period.

A fairness hearing has been slated for Sept. 10, 2021.

The Department of Justice made an announcement about nine residents in San Diego who were charged in two independent indictments connected with the theft of patients’ protected records and the submission of fake claims for pandemic unemployment insurance.

Based on the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were provided to persons affected by the COVID-19 pandemic, who wouldn’t, under regular situations, be qualified for payments.

In one of the cases, Matthew Lombardo, a Scripps Health employee before, was charged with felony HIPAA violations for acquiring and sharing the protected health information (PHI) of patients to his supposed co-conspirators. Lombardo was additionally charged with conspiracy to commit wire fraud, together with three alleged co-conspirators – Konrad Piekos, Dobrila Milosavljevic, and Ryan Genetti. Genetti, Piekos, and Milosavljevic were additionally charged with aggravated identity theft and are claimed to have utilized the stolen data to submit bogus claims for pandemic unemployment insurance.

The San Diego Sheriff’s Department had started a traffic stop on Konrad Piekos for driving without a license plate. When cops went to the vehicle, they noticed an assault rifle in plain sight inside his vehicle. Piekos acknowledged that he possessed an unregistered assault rifle, and the cops that searched his vehicle found a number of loaded firearms and ammunition. After getting a warrant to search Piekos’ house, the police saw a few other firearms and ammo, quantities of heroin and fentanyl, and cell phones. After getting warrants to search the cell phones, detectives discovered texts among Genetti, Piekos, and Lombardo talking about the dubious distribution of narcotics, guns, and a way to get unemployment benefits utilizing other people’s personal identifying information (PII).

Piekos and Genetti had plotted to fraudulently acquire PUA benefits in July 2020, with Lombardo becoming a member of the scheme last August 2020. Lombardo is alleged to have employed his position as a patient financial service agent to get access to patients’ PII, which he then distributed to Piekos, Milosavljevic, and Genetti beginning on August 15, 2020, as per the indictment. Scripps Health stopped Lombardo on April 14, 2021.

In another case, Genetti and three defendants Garrett Carl Tuggle, Lindsay Renee Henning, and Salvatore Compilati – were accused of conspiracy to commit wire fraud. Henning and Tuggle were likewise accused of aggravated identity theft, and Henning, Tuggle, and Juan Landon, a fourth defendant, were accused of having methamphetamine, heroin, and cocaine with the intention to distribute. The defendants applied for more than 108 separate claims for PUB benefits, with a total of $1,615,000.

Lombardo faces a maximum imprisonment term of 10 years for the HIPAA violation in addition to a fine. His conspiracy to commit wire fraud case carries a max jail term of 20 years plus penalty, and Lombardo is to serve a minimum jail term of 2 years in association with the aggravated identity theft charges, after serving the other sentences.

Pandemic unemployment insurance programs are a crucial component of our safety net created to help industrious citizens who are experiencing an unparalleled economic downturn, stated Acting U.S. Attorney Randy Grossman. Our office and our law enforcement partners will look into and prosecute people who try to steal from these services created to support deserving individuals.

CaptureRx, the healthcare administrative services provider is confronting multiple class-action lawsuits for not being able to secure patient information, which was acquired by unauthorized people in a February 2021 ransomware attack.

NEC Networks, dba CaptureRx, gives IT solutions to hospitals to help them handle their 340B drug discount services. By providing those solutions, CaptureRx receives the protected health information (PHI) of patients.

About February 6, 2021, CaptureRx discovered suspicious activity in areas of its IT systems, like file encryption. The investigation affirmed that files comprising the PHI of 2,400,000 or higher patients were exposed in the attack.

CaptureRx stated in its breach notice that all policies and procedures are being evaluated and improved and more employees training is being carried out to minimize the probability of identical future occurrence. Impacted persons were instructed to stay cautious against occurrences of identity theft and scam, to examine account statements and explanation of benefits forms, and to keep track of free credit reports for suspicious transactions and to identify errors.

On July 21, 2021, plaintiff Michelle Rodgers submitted a legal case in the U.S. District Court for the Western District of Texas. Rodgers is ARcare’s patient in Augusta, AR, whose personal data and PHI were breached in the attack.

Rodgers, and the class members, assert that CaptureRx was at fault for not implementing and maintaining reasonable safety measures and had not conformed with industry-standard data security procedures to make sure the privacy of their PHI, violating federal and state regulations. The plaintiff and class members want monetary damages and injunctive and declaratory relief.

The same lawsuit had earlier been filed in the District Court for the Western District of Texas naming Mark Vereen as plaintiff, which identifies NEC Networks, CaptureRx, and Midtown Health Center in Los Angeles as defendants. The lawsuit claims the defendants were responsible for not taking the required steps to avoid a data breach, the risk of which ought to have been known. The plaintiffs in that legal action claim they are in danger harm that might be long-term and serious,” which may continue for many years, and that the defendants violated the Federal Trade Commission regulations and HIPAA. The lawsuit foresees more than $5 million in losses.

A Missouri resident filed a legal case in federal court in Kansas City on behalf of all residents in Missouri affected by the breach, seeking a minimum of $5 million in damages.