Sep 202018
 

Today was not a good day for hospitals in Massachusetts.  First, we saw the state’s attorney general announce a settlement between the state and UMass Memorial Healthcare and UMass Memorial Medical Centers involving insider breaches for fraudulent purposes.

And now we see this announcement from the federal regulator, OCR:

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

This is the second HIPAA case involving an ABC medical documentary television series, the previous being OCR’s April 16, 2016 settlement with New York-Presbyterian Hospital in association with the filming of “NY Med.”

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

To resolve potential HIPAA violations, BMC has paid OCR $100,000, BWH has paid OCR $384,000, and MGH has paid OCR $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media: http://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html.

The respective Resolution Agreements and Corrective Action Plans may be found on the HHS website at:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bostonmed/index.html

Sep 202018
 

From the Office of Attorney General Maura Healey, an announcement of a settlement in the wake of insider breaches: 

BOSTONUMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. will pay a total of $230,000 to resolve claims that two separate data breaches exposed the personal and health information of more than 15,000 Massachusetts residents, Attorney General Maura Healey announced today.According to the AG’s complaint, filed last week along with a consent judgment in Suffolk Superior Court, two former employees of UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. in separate breaches improperly accessed patients’ personal and protected health information for fraudulent purposes, such as opening cell phone accounts and credit card accounts. The AG’s Office alleges the UMass entities violated the Consumer Protection Act, the Massachusetts Data Security Law, and the Health Insurance Portability and Accountability Act when they failed to properly protect patients’ information.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said AG Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

Investigations by the AG’s Office revealed that the breaches exposed patient information including names, addresses, social security numbers, clinical information and health insurance information.

The AG’s lawsuit alleges that UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. knew of these employees’ misconduct but failed to properly investigate complaints related to these breaches, discipline the employees involved in a timely manner, or take other steps to safeguard the information.

As part of the settlement, the UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. have agreed to conduct employee background checks and ensure proper employee discipline; train employees on the proper handling of patient information; limit employee access to patient information; identify and remediate potential data security issues; and promptly investigate suspected improper access to patient information.

The UMass Memorial entities will also be required to hire an independent third-party firm to conduct a review of its data security policies and procedures, which the health care entities will report to the AG’s Office.

This matter was handled by Assistant Attorney General Michael Wong and Legal Analyst Elizabeth Carnes Flynn, with assistance from Division Chief Eric Gold, all of AG Healey’s Health Care Division.

Sep 182018
 

Seth Rosenblatt and Pinguino Kolb report:

Ransomware attacks are serious business for hackers―and often completely avoidable. Hospitals and health care systems, now in the business of collecting patient data as a side effect of treating physical maladies, struggle to keep that information secure.

While there’s no ransomware-specific cost estimate to the health care business, Verizon’s annual Data Breach Report for 2018 estimates that ransomware is included in 85 percent of the successful malware attacks against hospitals. Cybersecurity researchers at Cylance estimated that the number of ransomware attacks tripled in 2017. And researchers at the Ponemon Institute estimated in May 2016 that the annual cost of health care breaches was $6.2 billion per year.

Read more on The Parallax.

Sep 182018
 

Amy L. Hanna Keeney of Adams and Reese writes about an opinion in a court case that stemmed from one of TheDarkOverlord’s hacks: their attack on Athens Orthopedic Clinic (AOC). I had covered that breach extensively, including commenting on the fact that AOC did not offer any free services to patients whose data had not only been stolen, but had either been publicly dumped on Pastebin and/or reportedly put up for sale on dark net markets.

As Keeney explains in her article, only one of three named plaintiffs in Collins, et al. v. Athens Orthopedic Clinic actually alleged that they had actually experienced fraudulent charges on any of their accounts, and the complaint didn’t actually claim that the fraud had a causal connection to the hack. Basically, the plaintiffs were alleging that they incurred the cost of identity theft protection, credit monitoring, and credit freezes.

Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.

AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).

Disappointingly to privacy advocates, the court held that just an increased risk of harm was not sufficient to grant the plaintiffs standing.

The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”

The trial court’s dismissal of plaintiffs’ complaint was affirmed.

That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.

Read more on Daily Report.

From my perspective, the decision is an unfortunate one that once again fails to appreciate the harm and costs patients and consumers incur from a breach.

Sep 182018
 

John George reports:

Independence Blue Cross and its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey have alerted certain members of a recent incident involving a potential privacy issue related to protected health information.

[…]

“We quickly launched an investigation to determine the nature and scope of this incident, working with a leading forensics investigation firm to confirm what happened and what information may have been affected,” IBC said in a statement. “The investigation determined that an Independence employee uploaded a file containing limited member information to a public-facing website that was publicly accessible between April 23 and July 20.

Read more on Philadelphia Business Journal.

Update:  It’s reportedly about 17,000 people affected.