Sep 202018

From the Office of Attorney General Maura Healey, an announcement of a settlement in the wake of insider breaches: 

BOSTONUMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. will pay a total of $230,000 to resolve claims that two separate data breaches exposed the personal and health information of more than 15,000 Massachusetts residents, Attorney General Maura Healey announced today.According to the AG’s complaint, filed last week along with a consent judgment in Suffolk Superior Court, two former employees of UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. in separate breaches improperly accessed patients’ personal and protected health information for fraudulent purposes, such as opening cell phone accounts and credit card accounts. The AG’s Office alleges the UMass entities violated the Consumer Protection Act, the Massachusetts Data Security Law, and the Health Insurance Portability and Accountability Act when they failed to properly protect patients’ information.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said AG Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

Investigations by the AG’s Office revealed that the breaches exposed patient information including names, addresses, social security numbers, clinical information and health insurance information.

The AG’s lawsuit alleges that UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. knew of these employees’ misconduct but failed to properly investigate complaints related to these breaches, discipline the employees involved in a timely manner, or take other steps to safeguard the information.

As part of the settlement, the UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. have agreed to conduct employee background checks and ensure proper employee discipline; train employees on the proper handling of patient information; limit employee access to patient information; identify and remediate potential data security issues; and promptly investigate suspected improper access to patient information.

The UMass Memorial entities will also be required to hire an independent third-party firm to conduct a review of its data security policies and procedures, which the health care entities will report to the AG’s Office.

This matter was handled by Assistant Attorney General Michael Wong and Legal Analyst Elizabeth Carnes Flynn, with assistance from Division Chief Eric Gold, all of AG Healey’s Health Care Division.

Sep 182018

John George reports:

Independence Blue Cross and its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey have alerted certain members of a recent incident involving a potential privacy issue related to protected health information.


“We quickly launched an investigation to determine the nature and scope of this incident, working with a leading forensics investigation firm to confirm what happened and what information may have been affected,” IBC said in a statement. “The investigation determined that an Independence employee uploaded a file containing limited member information to a public-facing website that was publicly accessible between April 23 and July 20.

Read more on Philadelphia Business Journal.

Update:  It’s reportedly about 17,000 people affected.

Sep 172018

Rich Shapiro and John Annese report:

An emergency room worker at Kings County Hospital stole the private information of nearly 100 patients and sold it through an encrypted app on his cell phone, the Daily News has learned.

Orlando Jemmott, 52, who worked at the city-run Brooklyn hospital for more than a decade, also fed more names and phone numbers to a buyer in Pennsylvania between December 2014 and April 2015, according to court documents.

FBI agents arrested Jemmott in February, and last week, they busted the alleged buyer, Ron Pruitt, 43, of Albrightsville, Pa.

Read more on NY Daily News.

Sep 142018

Craig A. Newman writes:

The healthcare industry has been in the sights of hackers for some time. But a recent survey found that the biggest threat in the sector comes from within.

Verizon has just released its Protected Health Information Data Breach Report and found that 58% of the data security incidents in the industry came from insiders, a number higher than in any other industry. The study is based on an analysis of almost 1400 incidents during 2016-2017 in 27 countries. Almost 75% of the incidents occurred in the U.S.

Read more on Patterson Belknap Data Security Law Blog.

Sep 122018

Lisa Joy reports:

An east-central Alberta woman feels vindicated after winning a wrongful termination case against a medical centre society where she worked as a receptionist. The woman claimed she was terminated without just cause and publicly humiliated. Red Deer Judge Andreassen agreed and awarded her $25,600 in compensation.

The Consort and District Medical Centre Society, months after terminating Sherri Galloway, claimed she violated privacy laws by viewing confidential patient medical records. Judge Andreassen, however, not only ruled there was no evidence to back up the board’s claims but also slammed their actions.

Read more on Red Deer Advocate.