Feb 142018

If you were an entity that wound up as part of a $3.5 million settlement with HHS in 2015,  you probably wouldn’t want to be reporting yet another breach to HHS now, particularly if your area was still trying to recover from a major hurricane and crisis. Yet that’s the situation Triple-S Advantage, an independent licensee of the BlueCross BlueShield Association in Puerto Rico, seems to have found itself in.  From their notification:

Triple-S Advantage has a strong commitment to protecting the confidentiality of our members’ sensitive information. We take information privacy very seriously and it is important to us that our members are made fully aware of a potential privacy issue. We have learned that personal information of some of our members, including their name, health plan identification number, date of service in which treatment was provided, and treatment codes describing the service provided was mailed to the wrong address. The Social Security Numbers and date of birth of our members were NOT disclosed as a result of this incident.

On December 5, 2017, Triple-S Advantage discovered that notices sent in November 2017 to health care providers involved in the treatment of our members were mailed to the wrong address. However, we have not received any indication that the information has been accessed or used by an unauthorized individual.

Triple-S Advantage has performed an extensive investigation into why and how their personal information was disclosed. We have taken immediate steps to ensure additional notices to our members and your health care providers are sent to the correct address, such as: correction of the mailing process, completion of testings and sending the letters to the correct address of your provider. The members who may have been affected by this incident will receive first-class mail notices.

We have reported the incident to the required government agency, the Health Insurance administration of Puerto Rico (ASES) and will comply with the evaluation as required by the Office of Civil Rights within the time period established.

We are making an announcement about this incident so that affected Triple-S Advantage members can consider taking action to reduce the chances that their personal information will be misused:

  • Review Explanation of Benefits notices that you receive from us or your health care providers to make sure that the services reported as provided were received by you. If your Explanation of Benefits reflects services that you did not receive, please contact our Customer Service Call Center immediately.
  • Make sure that you continue to receive documents that you have normally received regarding your health care services or benefits.

If you or a family member belong to Triple-S Advantage and want additional information about the incident, you may contact our Customer Service Department from Monday through Sunday from 8:00 am to 8:00 pm at our toll-free number 1-888-620-1919, TTY users should call 1-866-620-2520 or by e-mail at: [email protected].

You may also visit our Internet website www.sssadvantage.com for further information.

If you are a Medicare Platino member, you can also contact the Health Insurance Administration of Puerto Rico (ASES) at or Customer and Providers Services Offices (PROBENE) at 1-800-981-2737/1-800-981-ASES from Monday through Friday 8:00 am to 4:30 pm, a Customer Services Representative will assist you. TTY users should call (787) 474- 3389. You can also contact us by email at [email protected].

Triple-S Advantage sincerely apologize and regret this situation. The privacy and security of our member’s information is very important. We are working hard to strengthen our processes for the benefit and protection of our members.

Please Note: Triple-S Advantage will NOT call or email anyone requesting any personal information as a result of this incident. If you receive an unsolicited call or email that appears to be from Triple-S Advantage, your local hospital or physician office, please do not provide any personal information in response to these calls or emails.

Triple-S Advantage, Inc. complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex. Triple-S Advantage, Inc. cumple con las leyes federales aplicables de derechos civiles y no discrimina por razón de raza, color, origen de nacionalidad, edad, discapacidad, o sexo. Triple-S Advantage Inc. 遵守適用的聯邦民權法律規定,不因種族、膚色、民族血統、年 齡、殘障或性別而歧視任何人ATTENTION: If you speak English, language assistance services, free of charge, are available to you. Call: 1-888-620-1919 (TTY: 1-866-620- 2520). ATENCIÓN: Si usted habla español, servicios de asistencia lingüística están disponibles libre de cargo para usted. Llame al: 1-888-620-1919 (TTY: 1-866-620-2520). 注意:如果您使用繁體中文,您可以免費獲得語言援助服務。請致電 1-888-620-1919 (TTY: 1-866-620-2520)。


Hygienist Steals Patients, Leaves Dentist with Huge Legal Bills

 Posted by at 9:10 am  Health Data, Insider, U.S.  Comments Off on Hygienist Steals Patients, Leaves Dentist with Huge Legal Bills
Feb 142018

So we’ve all read breach reports about employees or former employees stealing patient data to go start a new competitive practice or to help their new employer. And a blog post on Dental Practice Marketing and Management by Jim Du Molin about a dental hygienist stealing patient data for her new place of work read like just many other reports until I got to this detail about what happened when the victim dentist sued the former employee/hygienist after being tipped to what his former employee had been doing, which allegedly cost him about 150 patients and more than $1,000,000 in lost revenue over a five-year period:

You’d think it would be a slam-dunk. In court, Hygienist X point-blank admitted under oath that she had taken Dr. Michigan’s patient list.

Here’s the unbelievable part: the judge threw the case out, ruling that the patient list was not covered under the Michigan Uniform Trade Secrets Act. The judge was in effect saying that a doctor’s patient list is not protected information. (In a similar Pennsylvania case, the patient list was found to be a trade secret, but that’s of little help to Dr. Michigan.)

So Dr. Michigan now finds himself working two jobs just to pay his legal bills.

So in Michigan, it seems that even if you buy a practice and the purchase contract includes the patient list and a non-compete clause, you may have no redress if an employee then steals the patient data list.

Read more on Dental Practice Marketing and Management.

But what about under HIPAA? I would think the hygienist might be charged criminally under HIPAA for stealing PHI if the dental practice was covered by HIPAA. That might not help this dentist commercially, but maybe HHS prosecuting more cases criminally and issuing press releases about prosecutions might deter some others in the future?

At the very least, I would think that the victim dentist should file a complaint against the hygienist with the state licensing board and seek to have their license revoked or suspended for unethical conduct. Again, it would not necessarily help the victim dentist commercially, but insider-wrongdoing needs to be addressed.  Did the hygienist’s new employer fire her after learning what she had done? If not, why not?

Consequences for HIPAA violations don’t stop when a business closes

 Posted by at 9:03 pm  Commentaries and Analyses, Exposure, Health Data, Of Note, Paper, U.S.  Comments Off on Consequences for HIPAA violations don’t stop when a business closes
Feb 132018

There’s a new settlement announcement from HHS OCR that makes clear that even if an entity closes its doors, any HIPAA enforcement action continues:

A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 out of the receivership estate to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Filefax, located in Northbrook, Illinois, advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law.

On February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015. OCR opened an investigation, which confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ protected health information (PHI).

OCR’s investigation indicated that between January 28, 2015, and February 14, 2015, Filefax impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.

Filefax is no longer in business. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others.  In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

The resolution agreement and corrective action plan may be found on the OCR website at   http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Filefax/index.html.

Feb 122018

Stock image

On February 1, Coastal Cape Fear Eye Associates in North Carolina notified HHS of a hacking incident that impacted 925 patients. Unlike many other ransomware reports where there is no clear evidence of PHI acquisition or compromise, in this incident, there was evidence of actual compromise, although no evidence of exfiltration. Here is the entity’s notice that appeared on their web site:

HIPAA Notice to CCFEA Patients

As a health care provider, Coastal Cape Fear Eye Associates (“We” or “CCFEA”) values and respects the privacy of its patients’ personal information, and we take seriously our responsibility to secure all information that has been entrusted to us by our patients.  For this reason, we wanted to let the public know that we recently experienced a ransomware attack that compromised certain patient data.

On December 5, 2017, we discovered that, despite the security measures put in place by us and our information technology consultant, a file on CCFEA’s computer system was infiltrated by ransomware.  The ransomware attack deployed malicious code, resulting in our being unable to access certain electronic files.  We immediately engaged independent information technology professionals, and while they were able to quickly quarantine and remove the ransomware from the impacted file, we remained, until recently, unable to access the data stored in the electronic file to determine the types of information compromised and patients affected.

Following an investigation by CCFEA and independent information technology professionals, it was determined that while there is no evidence that any of the data was removed from the files, the ransomware attack did result in a compromising of certain electronic files containing patient records including patient names, addresses, dates of birth, phone numbers, Social Security Numbers, insurance card numbers, driver’s license numbers, email addresses, ethnicities, emergency contacts, medical histories, medications, legal documents, diagnosis records, physician notes, medical diagrams, and billing and payment histories, as well as scanned copies of Medicare cards, insurance cards, and drivers’ licenses.    Our investigation is ongoing and our information technology professionals are working to implement additional security measures to protect against future attacks.

We deeply regret that some of our patients’ protected health information has been compromised.  CCFEA is working to individually notify all affected patients and file the appropriate reports with the North Carolina Department of Justice and the United States Department of Health and Human Service to ensure the incident is properly addressed.

If your personal information was compromised in the ransomware attack and we have your current address, you will be receiving a letter from us informing you of the data breach and providing you with steps you should take to protect your identity and information.

If you have any questions or further concerns, please contact Dee Smith at 910-762-0057

Feb 102018

There’s an update to an insider-wrongdoing lawsuit that I first noted back in September, 2013, after some employees at Rensselaer County Jail filed suit against their employer for snooping in their medical records.

As I’ve reported in the past, the breaches occurred against a backdrop where the county jail uses Samaritan Hospital to provide services to inmates and employees, but the jail also has its own medical personnel. In this case, a nurse left her login information conveniently handy for others who did not have access to the medical database and some unauthorized employees allegedly used those login credentials to snoop on inmates and coworkers. As my previous digging into this case indicated, the breaches began in 2008, were discovered in 2011 by Samaritan Hospital, but were not disclosed to those affected until 2013 – allegedly because the Sheriff, who became a defendant in the litigation, asked the hospital to delay notification. The Sheriff’s role also became significant in the litigation because employees claimed that he was misusing access to see if they were complying with his policies about not taking excessive medical leave from work.

In any event, in 2016, the lawsuits were dismissed, with prejudice, in part because the court held that the employees had not demonstrated that anything in their medical records was sensitive enough that if viewed by an employer, would expose them to discrimination. The claims under CFAA were dismissed for failure to state a claim.

The plaintiffs appealed, and now the Second Circuit Court of Appeals has affirmed in part and reversed in part.

Of special note, the court held that even individuals with non‐stigmatizing medical conditions have a right to privacy in their medical records, even if their interest in privacy might be less (than someone with a stigmatizing condition).  So the court has remanded the case back to the district court, but instructed the lower court to also consider whether qualified immunity might apply.

Continue to stay tuned.

h/t, Law360.com who reported on this update first.