Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

The HHS’ Office for Civil Rights (OCR) announced that it has reached a $25,000 settlement with Metropolitan Community Health Services to deal with violations of the HIPAA Security Rule.

Metropolitan Community Health Services based in Washington, NC is a Federally Qualified Health Center that offers integrated medical, dental, behavioral health & pharmacy services for adults and children. Doing business as Agape Health Services, Metro gives marked down medical services to the underserved citizenry located in rural North Carolina. Metropolitan Community Health Services has about 43 workers and assists 3,100 patients every year.

On June 9, 2011, Metropolitan Community Health Services submitted a report to OCR regarding a breach of 1,263 patients’ protected health information (PHI). OCR performed a compliance review to determine whether the breach resulted from noncompliance with the HIPAA Rules. The OCR investigation discovered persistent, systemic noncompliance with the HIPAA Security Rule.

Before the breach occurred, Metropolitan Community Health Service was unable to impose HIPAA Security Rule policies and processes, in violation of 45 C.F.R. §164.316, and an appropriate and comprehensive evaluation of the potential threats to the integrity, confidentiality, and availability of ePHI was not done, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). In spite of being in business starting from 1999, the provider did not have any HIPAA security awareness and training for its workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

If determining an ideal settlement, OCR thought about the size of the company and a number of other variables. Besides shelling out a financial penalty of $25,000 to take care of the HIPAA violations, Metropolitan Community Health Services agreed to follow a solid corrective action plan and will make sure to implement policies and procedures according to the specifications demanded by HIPAA. For two years, Metropolitan Community Health Services will be supervised if it complies with the set corrective action plan.

This $25,000 settlement is the second in 2020 that a HIPAA covered entity paid to resolve its violations of HIPAA Rules. The first settlement in March 2020 involved a $100,000 financial penalty paid by Steven A. Porter, M.D regarding risk analysis and risk management failures.

The fine demonstrates that healthcare organizations, large or small, must comply with HIPAA Rules. Health care organizations owe it to their patients to comply with the HIPAA Rules. When notified of probable HIPAA violations, providers need to immediately deal with problem areas to protect the health information of individuals, according to OCR Director Roger Severino.

States Start to Make Temporary COVID-19 Telehealth Changes Permanent

States introduced interim emergency waivers to their telehealth rules after the HHS’ Centers for Medicaid and Medicare Services (CMS) decided to broaden access to telehealth services and maximize coverage in response to the COVID-19 pandemic. Healthcare organizations and patients have received the modifications to telehealth policies, which enhanced telehealth services access to manage the spread of the SARS-CoV-2. There were growing demands for making the changes permanent, and a number of states like Colorado, Idaho, and Massachusetts have taken steps to make sure the changes continue on after the end of the COVID-19 public health emergency.

On March 16, 2020, the Massachusetts Board of Registration in Medicine (BORIM) authorized a new policy that says a similar standard of care is applicable to in-person and telehealth sessions and a face-to-face experience is not a pre-requisite for a telehealth session. The policy was launched on a short-term basis in line with COVID-19 response, but on June 26, 2020, the new policy is permanent as per BORIM. This is the initial telehealth-specific policy that BORIM adopted. Of the states that first acted on making the COVID-19 telehealth policies permanent, Massachusetts is one.

At the Federal level, there were growing calls to make the telehealth services access permanent and to continue reimbursement parity for in-person and virtual visits even after the COVID-19 national public health emergency is over.

CMS Administrator Seema Verma has shown support for extending telehealth access. The Senate Committee on Health, Education, Labor & Pensions (HELP) recently held a meeting and discussed the 30+ temporary adjustments to Federal telehealth policies. The Senate Committee then urged Congress to make permanent a number of of the changes. There is a frequently held perspective that telehealth can boost patient outcomes, help providers provide a more effective patient experience, and that telehealth can help lessen the cost of healthcare provision.

Two Federal policy modifications that have drawn significant support are the relaxing of the Medicare originating site prerequisite to permit doctors to give telehealth services to all patients, regardless of where they are located, and increasing the number of telehealth services allowed under Medicare.

These and a few other policy modifications have gotten support at the state level. A number of other states have at this point taken steps to better telehealth access. This week, Colorado Governor Jared Polis signed a bill that forbids the requirement by health insurance firms that a patient needs to have a pre-established relationship with a virtual care provider. The law, which applies to Medicaid and state-controlled health plans, likewise prohibits insurance companies from imposing more location, certification, or licensure prerequisites on providers before issuing telehealth reimbursement and the limitations on the technology that may be used to offer telehealth services were likewise removed. Audio or video interaction solutions just must be compliant with the HIPAA Security Rule.

Idaho Governor Brad Little has likewise taken steps to make the COVID-19 modifications to telehealth regulations permanent, such as the state’s interim telehealth rule waivers that raised the medications that may be prescribed in telehealth consultations, the extending of the technology that may be utilized for rendering telehealth services, and the switch that allows out-of-state physicians to provide virtual patient treatments.

All states extended access to telehealth services for Medicaid beneficiaries after the CMS announcement about the extension of access to telehealth and greater coverage. A lot more states are currently anticipated to make the emergency changes permanent. Nevertheless, health insurance companies should also make changes and validate that they will continue to repay physicians for virtual sessions at the same price as in-person visits, or else it is most likely that telehealth services will be dropped and have in-person visits only.

KLAS Recognizes TigerConnect as a Top-Rated Innovative Clinical Communications Systems

KLAS acknowledged TigerConnect as the most broadly employed care team collaboration solution, and ranked it among the top-rated systems in its 2020 KLAS Clinical Communications Advanced User Insights report.

KLAS is a company that specializes in medical care IT data and insights. It conducts an unbiased analysis of software programs and services that healthcare organizations use as well as payers across the world. The business gathers responses from healthcare professionals that are using software solutions and services, examining insights and determining trends. Healthcare providers all over the world are using the KLAS report to make decisions with regard to healthcare care apps and services.

The data contained in the Clinical Communications 2020 Advanced User Insights report consist of the data compiled by KLAS from a number of case studies and in-depth interviews with 3 to 5 top users of systems at companies at the leading edge of the clinical network to establish how these options have improved performance, security, and patient satisfaction. The report shows the outcome that was achieved, the lessons actualized by sophisticated end-users, and the selection of workflows that every communication system deals with.

TigerConnect was recognized as having a very large client base that includes individuals from inpatient and non-inpatient care environments. KLAS learned that TigerConnect is very customer-focused, with active development for advanced users comprising a variety of care settings. The platform had the most extensive array of workflows for advanced users among all systems assessed for the report. It was the only clinical communications platform that had in excess of 50% usage of its cutting edge workflows among the ten varied types examined.

In addition, TigerConnect was rated as the top vendor for patient-centered care team communication platforms, pre-admission workflows, discharge & post-discharge process, and clinical support personnel workflows. TigerConnect was recognized as having excellent capabilities such as enabling communication to keep going despite EHR outages, allowing care directors to coordinate care with referred health care providers, and linking messages to patient files and incorporating all pertinent information for patient care.

The KLAS report demonstrates TigerConnect’s best asset, which is the functionality to help healthcare organizations all through the entire cycle of patient care to significantly be connected and better results, claims CEO of TigerConnect, Brad Brooks. More than 6,000 healthcare organizations count on TigerConnect to enable smooth movement in a scalable, utterly integrated, simple-to-use solution. With plenty of concerns in the healthcare sector during the COVID-19 crisis, the prospect for advancement that elevates care and strengthens the bottom line is now.

Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

More and more healthcare organizations are facing legal action because of a ransomware attack that resulted in patient data theft. The Florida Orthopedic Institute, a big orthopedic provider in Florida, is one of the most current healthcare companies to encounter a class action lawsuit due to a ransomware attack.

Florida Orthopedic Institute detected the ransomware attack on April 9, 2020 when employees could not access computer systems and information because the files were encrypted. A third-party computer forensics company was hired to investigate and confirmed on May 6, 2020 that patient data may have been accessed and exfiltrated by attackers. The selection of sensitive information possibly compromised were names, birth dates, Social Security numbers, and medical insurance data. Impacted patients received notification regarding the breach on or about June 19, 2020 and received offers of free identity theft and credit monitoring services for one year. During the issuance of notifications, there is no proof found that indicate the misuse of patient data.

Not long ago, lawyer John Yanchunis of Morgan & Morgan filed legal action against Florida Orthopedic Institute located in Hillsborough County, FL. The lawsuit alleges that the healthcare provider did not implement the right safety measures to make sure the privacy of patient information. He stated that surely, cyber criminals got hold of this information and used it maliciously.

The lawsuit claims the healthcare company was lackadaisical, not serious, careless, or negligent with regard to keeping the privacy of its patients and standard cybersecurity guidelines were not observed. Aside from negligence, the legal case alleges intrusion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and breach of Florida’s Deceptive and Unfair Trade Practices Act.

Although patients were provided free identity theft protection services, Attorney Yanchunis states that one year of identity theft protection services is not sufficient to secure victims, given that impacted persons currently deal with a higher risk of financial problems due to the breach for several years in the future.

The lawsuit wants longer credit monitoring for victims and a minimum of $99 million in damages for the present and past patients.

There is no posting yet about the incident on the HHS’ Office for Civil Rights breach portal, consequently, the number of patients impacted by the attack is presently uncertain. Based on the lawsuit, there are no less than 100,000 patients impacted and possibly over 150,000.

Various recent ransomware attacks have resulted in lawsuits, for example, the attack on BST & Co CPAs LLC and DCH Health System. Grays Harbor Community Hospital just lately recommended a $185,000 settlement to pay for the class action lawsuit submitted on account of a breach victim.

$185,000 Settlement Offered to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

Grays Harbor Community Hospital and Harbor Medical Group agreed to the proposed settlement of the class-action lawsuit filed by the representative plaintiff over a ransomware attack in June 2019 that caused patient data encryption.

The plaintiff and Grays Harbor discussed the settlement to avoid the uncertainty of a trial and the expenditures of further litigation. The Court did not decide the settlement in favor of either party.

The Washington healthcare provider identified the ransomware attack in June 2019 and shut down its systems to block the virus, but it was too late as its computer systems were already encrypted. Grays Harbor created data backups in case of such an incident. However, the ransomware attack encrypted the backup files as well. The provider’s electronic health record system was also inaccessible for about two months.

The attackers demanded a ransom of $1 million for the keys to decrypt the data. Gray’s Harbor got an insurance policy that covers up to $1 million, though it is uncertain whether that insurance policy covered expenses and paid for the ransom demand. Irrespective, it was not possible to retrieve all encrypted data in the attack. The protected health information (PHI) of some patients was not retrieved.

The lawsuit claimed the provider violated several rules including the:

  • Washington State Uniform Healthcare Information Act
  • Washington State Consumer Privacy Act
  • State Constitution’s Right to Privacy

The lawsuit further claimed that Harbor Medical Group and Grays Harbor Community Hospital neglected to secure the privacy of patients and had a breach of implied contract, a breach of express contract, and an intrusion of privacy.

The agreed settlement entailed no admission of liability on the part of Harbor Medical Group and Grays Harbor Community Hospital. All claims mentioned in the lawsuit were denied.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement amount of $185,000 for covering the claims of the 88,000 patients affected by the ransomware attack. Patients affected by the breach can submit claims for a maximum of $210 per person to cover out-of-pocket expenses incurred because of the breach and approximately three hours of documented lost time handling the after-effects of the breach at a price of $15 per hour.

Claims as high as $2,500 can also be filed for other provable losses acquired that were more possible than not because of the ransomware attack. All available credit monitoring insurance and identity theft insurance should be depleted before Grays Harbor is accountable for any bigger payouts. When the claims go over $185,000 they will be paid pro-rata to minimize costs.

Class members have until July 27, 2020 to exempt themselves from the settlement or file an objection. There will be a fairness hearing on August 31, 2020. To get a share of the settlement fund, submit a claim by December 23, 2020.

Subsequent to the ransomware attack, the provider took steps to improve security and spent more than $300,000 in information security. Another $60,000 will be invested in security enhancements over the next three years.

This data breach settlement is the second announcement this week. The first settlement was proposed by UnityPoint Health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. UnityPoint Health agreed to settle claims for $2.8 million or more as there is no cap on claims payments.

Vulnerability found in Philips Ultrasound Systems

Philips has identified an authentication bypass problem that impacted Philips Ultrasound Systems. An attacker could potentially exploit this issue to access or change information. The vulnerability is caused by the presence of an optional path or approach that may be employed to circumvent authentication controls.

The vulnerability is referred to as CVE-2020-14477. It is a vulnerability regarded as low severity with an assigned CVSS v3 base rating of 3.6 out of 10. In order for an attacker to exploit the vulnerability, local access to an insecure system is necessary. Remote exploitation of the vulnerability is not possible. Further, exploiting this vulnerability does not endanger patient safety.

The vulnerability has been reported to impact the Philips Ultrasound Systems listed below:

  • Ultrasound Xperius all versions
  • Ultrasound ClearVue Versions 3.2 and earlier versions
  • Ultrasound EPIQ/Affiniti Versions VM5.0 and earlier versions
  • Ultrasound CX Versions 5.0.2 and earlier versions
  • Ultrasound Sparq Version 3.0.2 and earlier versions

The vulnerability has been fixed for the VM6.0 release of the Ultrasound EPIQ/Affiniti systems. Consumers using these systems ought to get in touch with their Philips representative for more details about the update installation.

Consumers of all other impacted systems should wait until quarter 4 of 2020 for the release of an update. Philips is going to resolve the vulnerability in Ultrasound CX Version 5.0.3, Ultrasound ClearVue Version 3.3 and Ultrasound Sparq Version 3.0.3 release in quarter 4 of 2020.

For the time being, as a temporary safety measure, Philips advises users to make sure that their services providers check device integrity when conducting service and repair procedures. It is additionally a good idea to employ physical security measures to stop unauthorized persons from accessing the devices.

Breaches Reported by St. Luke’s Health-Memorial Lufkin, Iowa Total Care and RiverPointe Post Acute

CHI St. Luke’s Health-Memorial Lufkin in Texas began sending notifications to patients about the potential unauthorized access of some of their protected health information (PHI).

An investigation of a data breach by the threat management team of St Luke’s was conducted on March 25, 2020. Third-party experts performed a forensic investigation and confirmed on April 23, 2020 that an unapproved outside party potentially accessed two employees’ email accounts.

The investigators did not find any evidence supporting unauthorized access or theft of data, however, the possibility cannot be eliminated. The email accounts held information such as names, diagnosis data, facility account numbers, and dates of services. According to the investigation, St. Luke’s is convinced that no patient data was used inappropriately. However, certain patients received offers of free credit monitoring services via Experian as a precautionary measure.

St. Luke’s investigated the security breach extensively, checked data access logs, and performed a threat intelligence analysis. The provider reset all passwords across the facility, changed and upgraded hardware, improved security by making changes to software, and modified processes for network access.

The HHS’ Office for Civil Rights has not published the breach yet on its breach portal, hence the number of patients affected by the breach is still uncertain.

PHI of 11,500 Iowa Total Care Members Compromised Due to Email Error

Iowa Total Care learned that an employee impermissibly disclosed the PHI of thousands of patients. On April 29, 2020, the employee emailed an Excel file that contains claims information to a big provider organization. The Excel file enclosed the PHI of patients that had not gotten healthcare at the organization.

The spreadsheet included 11,581 patients’ names, birth dates, Medicaid ID numbers, procedure and diagnosis codes. Iowa Total Care is a HIPAA covered entity hence is informed of the requirement to secure PHI and has stated that the Excel file was deleted and it was not copied or shared.

Iowa Total Care has re-trained the involved employee and carried out more safety measures to avert the same mistakes in the future.

633 Patients’ PHI Lost at RiverPointe Post Acute

RiverPointe Post Acute Carmichael, CA informed 633 nursing home residents about the exposure of some of their PHI. The provider sent a USB storage device that contains names, some Social Security numbers and insurance ID numbers by mail but the device went missing in transit. The postal office was informed about the loss prompting a search for the storage device, but it cannot be found.

Although no particular evidence was discovered to suggest the device was taken by an unauthorized person, affected people were offered free identity theft protection services as a safety measure. Additional training on data security is being given to employees.

NY District Court Brings Back Data Breach Suit Against Episcopal Health Services to State Court

Patients of Episcopal Health Services Inc. located in Uniondale, N.Y. filed a legal case in relation to the exposure of their private and protected health information due to a phishing attack in 2018. The New York State Supreme Court has kicked back the legal case for further proceedings.

The lawsuit claims Episcopal Health Services was unable to secure the private details of its patients from unauthorized disclosures. Because of those setbacks, certain employee email accounts of Episcopal Health Services encountered a breach from August 28, 2018 to October 5, 2018. The types of sensitive data held in the email accounts included the patients’ names, dates of birth, addresses, Social Security numbers, and financial data. The PHI of about 218,000 patients was compromised in this email system breach.

The legal case named three plaintiffs, both of which were St. John’s Episcopal Hospital’s patients. They alleged they experienced injuries due to the compromise of their personal data. The case referred to the Federal Trade Commission (FTC) Act and the Health Insurance Portability and Accountability Act (HIPAA), with the plaintiffs alleging that Episcopal Health Services had broken those rules. The plaintiffs likewise claimed there was a breach of implied contract, breach of fiduciary duty, a delayed sending of notifications about the breach, and negligence regarding the employment and training of its personnel.

Episcopal Health Services took away the lawsuit from the New York State Supreme Court, purporting that the claims were covered by HIPAA and the FTC Act, which are federal rules. The defendant likewise wanted to have the legal case dismissed due to a lack of standing and inability to assert a claim.

The legal case was kicked up to the U.S. District Court for the Eastern District of New York, which not long ago determined that the legal action didn’t bring up any concerns related to federal law. Though The FTC Act and HIPAA were mentioned in the legal case, the claims weren’t founded on HIPAA or FTC Act violations, rather they were typical law causes of action. There’s no private cause of action in either HIPAA or the FTC Act. Actions could simply be undertaken for breach of HIPAA by the Department of Health and Human Services or State Attorneys General, whereas the FTC Act could merely be enacted by the Federal Trade Commission.

District Court Judge Dora L. Irizarry determined that the District Court had no power to preside the lawsuit, thus the lawsuit was returned to the New York State Supreme Court for other proceedings. There is no regulation done on Episcopal Health Services’ motion to disregard the legal case.

Hacker Arrested and Accused for the UPMC Cyberattack in 2014

The United States Attorney’s Office of the Western District of Pennsylvania reported the arrest of a suspect who was charged for hacking the University of Pennsylvania Medical Center (UPMC) human resources databases in 2014.

UPMC operates 40 hospitals in 700 outpatient sites and doctors’ offices and has more than 90,000 employees. In January 2014, UPMC found out that a hacker accessed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC employees is contained. The stolen data in the attack was allegedly offered for sale on the darknet. There were names, dates of birth, addresses, salary and tax data, and Social Security numbers included.

The suspect was named as Justin Sean Johnson. He is 29 years old from Michigan who formerly worked at the Federal Emergency Management Agency as an IT specialist.

On May 20, 2020, Johnson, who worked under the monikers TDS and DS, was accused of the following 43 counts: one count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Allegedly, Johnson hacked into the database, exfiltrated PII, and offered for sale the stolen information on darknet marketplaces like AlphaBay Market to several global buyers. Prosecutors additionally state that Johnson sold other PII on the darknet forums besides the PII of UPMC workers from 2014 to 2017.

The stolen UPMC PII was eventually used in an extensive campaign to dupe UPMC employees. Hundreds of bogus tax returns were filed in the names of UPMC employees, which prosecutors point out led to about $1.7 million in fake refunds being released. Those refunds were converted into Amazon gift cards that were used to get about $885,000 in goods, which were mostly delivered to Venezuela to be marketed in marketplaces online.

Two other folks were charged in 2017 in association with the hacking of UPMC:

  • Maritza Maxima Soler Nodarse, a Venezuelan national who pleaded guilty to conspiracy to defraud the United States and was engaged in submitting bogus tax returns was sentenced to time served and was deported.
  • Yoandy Perez Llanes, a Cuban national who pleaded guilty to money laundering and aggravated identity theft, is waiting for his sentence in August 2020

The breach investigation revealed that the hacker got access to the OracleSoft database first on December 1, 2023. After accessing the database, the hacker performed a test query and accessed the data of roughly 23,500 individuals. Between January 21, 2014 and February 14, 2014, the hacker accessed the database multiple times every day and stole the data of thousands of UPMC employees.

Johnson faces a long prison term if found at fault of the offenses. The conspiracy charge carries a 5 years maximum prison term and a fine of as much as $250,000. The wire fraud charges carry a 20-years maximum prison term and a fine of approximately $250,000 for each count and, there will be an obligatory 2-year prison term for aggravated identity theft and a fine of about $250,000 for each count.

The healthcare sector is a major target of cybercriminals wanting to steal personal information for use in fraudulence; the Secret Service is determined to discovering and arresting those that participate in offenses that exploit the Nation’s critical systems to turn a profit.

Hackers like Johnson ought to know that the U.S. Secret Service will not stop going after them until they are in custody and made accountable for their crimes.

NAAG Urges Apple and Google to Further Protect the Privacy of Users of COVID-19 Contact Tracing Apps

On June 16, 2020, The National Association of Attorneys General (NAAG) wrote a letter to Google and Apple to convey concern about consumer privacy associated with COVID-19 contact tracing and exposure notification software. NAAG has recommendations to help secure the personally identifiable information and sensitive health data of the hundreds of thousands of people who will be advised to download the apps to help manage COVID-19.

Although digital contact tracing could offer a useful tool to track the spread of COVID-19 and support the public health action to the pandemic, such technology poses a threat to consumers’ personally identifiable information, including sensitive health information, that could keep going much longer the present public health emergency finishes.

Privacy protections are important for making sure that users of the apps do not have sensitive data exposed or utilized for intentions other than assisting to handle the spread of COVID-19. Without privacy protections, users probably won’t download the apps, which will reduce their effectiveness. A study performed by the University of Oxford indicates that to achieve the aims of the apps, there must be an uptake of about 60% of a populace. If customers feel their privacy is in danger, that figure won’t be achieved.

Current perceptions concerning the privacy protections associated with COVID-19 contact tracing apps were looked into in a recent survey carried out on behalf of the antivirus company Avira. Of the 2,005 respondents in the United States, 71% reported they do not have a plan to utilize the apps if they are offered. 44% were worried about digital privacy, 39% stated the apps offered a false sense of security, 37% stated they think the apps won’t work, and 35% do not believe the app companies.

The survey unveiled that the majority of consumers do not have confidence in Apple and Google to safeguard the data gathered by the programs. Just 32% of respondents stated they believe the companies to safeguard their sensitive data, though both companies have taken action to implement privacy and security controls. There is even reduced trust in the government. Just 14% of respondents mentioned they would believe in contact tracing apps given directly by the government. 75% of U.S. citizens mentioned they think their digital privacy would be in danger when COVID-19 contact tracing information was made accessible to the government and authorities.

The letter that 39 state attorneys general signed had raised concerns regarding the different contact tracing apps available in the Google Play and Apple App Store. These apps are usually free to get and use and have in-app ads to make income. Instead of using Google and Apple’s API and Bluetooth for determining possible exposure, the apps rely on GPS tracking.

The state AGs furthermore stated concern that as more and more public health authorities start to release contact tracing apps that utilize the Google and Apple API, it is probable that many more developers will begin launching apps, and those apps may not have the required privacy and security configurations to abide by states’ policies.

Google and Apple were recognized for taking steps to make sure that consumer privacy is secured. NAAG has asked any contact tracing application that is labeled or sold as associated with COVID-19 to be associated with either a municipal, county, state, or federal public health agency, or a hospital or university in America that is working with such public health authorities.

NAAG moreover required Google and Apple to ensure that all COVID-19 contact tracing applications will be taken out from Google Play and the Apple App Store in case they aren’t associated with the above organizations, and for Google and Apple to pledge that all COVID-19 apps will be taken out from Google Play and the App Store as soon as the COVID-19 national public health emergency ends.

Telehealth Set to Stay So Acquire the Right Technology Now

This year, due to the COVID-19 public health emergency, the HHS’ Centers for Medicare and Medicaid Services (CMS) extended the coverage of telehealth service by including all Medicare beneficiaries, no matter location.

Telehealth services remove the obstacles to in-person health care that the COVID-19 pandemic created and enable healthcare practitioners to deliver treatment to patients in their own houses and, in so doing, make patient protection and management of the spread of COVID-19 possible. The widening of coverage is only applicable during the coronavirus public health emergency, though calls have been growing for the expanded CMS telehealth policies to remain after the public health emergency is proclaimed over.

On June 9, 2020, STAT News held a virtual event where CMS Administrator Seema Verma stated she supported the irreversible expansion of having telehealth services. The FTC has additionally weighed, with executives stating their support for the permanent elimination of the geographical rules and ongoing expansion of the types of services that could be offered by telehealth.

On May 21, there were 32 House members who signed a letter recommending the Congress to provide telehealth more time to show itself and asked for the relaxation of telehealth rules to keep going after the COVID-19 emergency period. The extension will make sure that adequate data is gathered to find out which of the new flexibilities ought to be made irreversible.

A lot of providers and patients throughout the United States have availed telehealth services at the time of the public health emergency and telehealth has risen in popularity with health providers and patients alike. It looks possible that telehealth will be here to stay, and virtual consultations will replace in-person care in particular cases.

Telehealth was made considerably simpler for healthcare providers by the HHS’ Office for Civil Rights, which released a notice of enforcement discretion saying that there won’t be penalties and sanctions imposed on healthcare providers for the good faith use of non-HIPAA-compliant communication platforms for delivering telehealth services. That notice of enforcement discretion is only applicable for the duration of the public health emergency, after which healthcare providers will have to use HIPAA-compliant platforms. Any provider that is not yet utilizing a HIPAA-compliant telehealth software must now think about making the change.

One HIPAA-compliant solution that became very popular at the time of the pandemic is TigerTouch from TigerConnect. TigerTouch brings together video, voice, and SMS into one hassle-free mobile and desktop application which permits internal communication between care team members and patient communication by means of the same application. The solution additionally features the sharing of files and medical photos and is completely HIPAA-compliant, so ePHI is securely shared. Healthcare providers that have used the solution report considerable cost savings, better patient care, improved workflow efficiency, and happier staff and patients.

TigerConnect organized a webinar to present the solution and demonstrate how the integrations and telehealth capabilities of the system are helping to better the quality of patient care, boost patient safety, and increase patient satisfaction levels.

New York Accounting Agency Faces Class Action Lawsuit Due to Maze Ransomware Attack

BST & Co. CPAs LLC, a New York accounting agency, encounted a manual ransomware attack in late 2019. Patients who had their protected health information (PHI) stolen as a result of the breach have filed a legal case against the company.

The lawsuit claims that BST & Co. was negligent for its inability to take proper and acceptable steps to avoid the ransomware attack. Further, the firm didn’t issue a timely and accurate notification to patients affected by the breach. The lawsuit additionally claims the company violated its fiduciary duty to secure sensitive patient data and broke state rules associated to deceitful business procedures.

ST & Co. discovered the ransomware attack on December 7, 2019. The attackers used Maze ransomware and exfiltrated an array of information from the firm before file encryption and then threatened that they will publish the information if no ransom was paid. Because no ransom payment was made, the attackers published the sensitive information on its website.

Based on the breach report filed with the Department of Health and Human Services’ Office for Civil Rights, the breach potentially resulted in the compromise of the PHI of 170,000 people, who were mostly Community Care Physicians patients. Although patient information were published on the internet where it was accessible to any person, BST did not send notification letters to patients until February 14, 2020.

On May 27, 2020, the complainants filed the lawsuit in New York’s supreme court and sought class action status. The lawsuit states that BST & Co. deliberately, willfully, recklessly, or negligently did not take sufficient and valid measures to make sure that its data systems were safe against unauthorized attacks and claims it did not have sufficiently robust computer systems and security measures.

The lawsuit additionally claims BST and its employees did appropriately monitor the network, computer system and patient sensitive data. If they had properly addressed that issue, the attack should have been discovered earlier. The lawsuit alleges that because of the company’s failures,  data thieves now have possession of patient information and the identity of patients are at stake.

The lawsuit seeks compensation for damages, refund of out-of-pocket-costs, the provision of enough credit monitoring services, and demands enhancements to be done on the BST’s security systems to avoid other breaches in the future.

Bipartisan Bill Presented to Secure Privacy of COVID-19 Contact Tracing and Exposure Notification Apps

A bipartisan group of Senators presented a bill which seeks to control the use of contact tracing and exposure notification applications for dealing with the spread of COVID-19.

The Exposure Notification Privacy Act is just one of the three bills introduced to control contact tracing applications for the privacy protection of Americans. The other two bills were unable to solicit sufficient support. Hopefully, a bipartisan bill will get a better possibility of being approved.

Technologies in contact tracing and exposure notification are being considered as a means of managing the spread of COVID-19. Both Google and Apple have created the systems necessary for contact tracing through the mobile phone’s low energy Bluetooth. If a user installs a contact tracing application, encounters with another person who has also installed the application will be logged. In case a person is determined to be COVID-19 positive, the logged information in the app will be employed to inform all persons who might be infected because of that individual.

Contact tracing and exposure notification applications are being used in some countries to lessen the spread of COVID-19, however there are risks to personal privacy, which the new bill seeks to resolve.

Sens. Maria Cantwell (D-Washington) and Bill Cassidy (R-Louisiana) introduced the Exposure Notification Privacy Act. The bill is co-sponsored by Amy Klobuchar (D-Minnesota). It seeks to give U.S. citizens the right to control their personal information and at the same time give public health officials the lead in exposure notification development.

The bill calls for the voluntary use of contact tracing and exposure notification applications and developers of the applications must impose options that allow consumers to have strong command with regards to their personal information. The bill restricts the types of information that the application can pick up and the length of time the personal information can be retained.

The apps will only accomplish their purpose if large numbers of people will download the apps. That will only happen if Americans will have confidence that their personal privacy is secured and no personal information will be misused.

The public health agency must be in command of the notification system to protect the personal privacy of people and alert them when they could have been exposed to COVID-19. This bill protects privacy when somebody voluntarily participates to prevent the spread of Covid-19.

The bill regulates the exposure notification systems to permit only medically authorized diagnoses and avoid false reports. The bill demands that the collected personal data using the apps will only be employed for inhibiting the spread of COVID-19. Personal information must never be used for commercial intentions. Besides voluntary participation, the bill will respect the right of Americans to opt-out and demand the deletion of their personal data at any time.

There must be strong security controls to safeguard personal information gathered through the applications and in case of a data breach, the bill requires all affected people to be informed. There will additionally be stringent enforcement procedures to protect consumer rights. Federal and state regulators will have the right to issue financial penalties for violations.

Through the coronavirus crisis, Americans should never have to fret about their confidentiality and security of their personal health information. Although contact tracing can have a crucial role in preventing the spread of COVID-19, this technology cannot be used at the expense of public health privacy.

Class Action Lawsuit Charged Against Aveanna Healthcare Over 2019 Phishing Attack

The healthcare provider Aveanna Healthcare based in Atlanta, GA is facing a class-action lawsuit due to a data breach that took place in the summer of 2019. It is one of the largest healthcare data breaches reported this year affecting 166,000 patients.

Aveanna Healthcare is a provider of healthcare services to grownups and children in 23 states and is the largest service provider of pediatric home care in America. In the summer of 2019, a number of email accounts were exposed in a phishing attack. Aveanna Healthcare found out the attack on August 24, 2019 and quickly protected its email accounts. The investigators confirmed that the email account was first breached on July 9, 2019, allowing the attackers to access protected health information (PHI) for more than 6 weeks.

Emails in the compromised accounts included patient data like names, health information, financial data, passport numbers, Social Security numbers, driver’s license numbers, and other sensitive information. It can’t be confirmed whether the attackers viewed the emails and files. There is no evidence found that suggests the theft of patient information during the attack, but it is possible that the attackers downloaded email data before being shut out of the email accounts.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule mandates the sending of a notification to patients affected by data breaches regarding the exposure of their PHI with no unnecessary delay and within 60 days after discovering a breach. The breached entity must also notify the Department of Health and Human Services’ Office for Civil Rights regarding a breach within 60 days.

Aveanna Healthcare postponed issuing breach notifications to affected patients until 2020. Also, the provider only submitted a breach report to the HHS’ Office for Civil Rights on February 14, 2020, which is more than 5 months following its discovery of the breach.

Over 100 patients affected by the breach were involved in the lawsuit. They claim that Aveanna Healthcare did not send timely announcements, and when the announcements were later sent, they did not make clear what types of information were compromised. Aveanna Healthcare patients asserted that the private personal and healthcare information of patients was kept in a careless manner so information kept in the provider’s systems was susceptible to attack.

The lawsuit alleges that Aveanna Healthcare was informed about the risk to patient data yet did not take sufficient steps to safeguard patient data. The plaintiffs additionally claim Aveanna Healthcare was not appropriately checking computer systems that held patient data. If systems were strictly monitored, it would not have taken 6 weeks to identify the data breach.

The plaintiffs assert they now have to deal with an increased risk of identity theft and fraud because data thieves now have their sensitive data. The lawsuit is seeking nominal and compensatory damages for individuals affected by the breach, repayment of out-of-pocket costs, and injunctive relief.

OIG Set to Audit the HHS COVID-19 Response and Recovery Efforts

The HHS’ Office of Inspector General (OIG) provided a tactical plan for keeping track of the Department of Health and Human Services’ COVID-19 response and recovery work.

OIG is going to assess HHS’ performance of its mandate to ensure the Americans stay healthy and safe, find out if the HHS systems and data are sufficiently protected, check the efficiency of the HHS response, and review the $251 billion funds released to HHS for the COVID-19 response.

OIG is tasked to monitor HHS activities to improve the economy, functionality, effectiveness, and dependability of HHS programs. OIG said that HHS had a big challenge in delivering medical care and human services to Americans because of the COVID-19. Through audits, risk checking, and data analysis, OIG will evaluate the HHS performance of its COVID-19 response and rescue operation.

The HHS has a responsibility to secure the health and wellbeing of the U.S. population in times of a public health emergency such as the COVID-19 crisis and look after beneficiaries that receive services through the HHS programs. OIG will help the HHS in its current COVID-19 response work and in fighting fraud and scams that put the public and HHS beneficiaries at risk.

OIG will look into cases of fraud and partner with law enforcement to protect the public and beneficiaries of HHS. OIG will likewise examine the results of HHS programs and validate how good the needs of the community and beneficiaries were satisfied. Audits and assessments by OIG will include the following:

  • purchases, supervision, and distribution of resources from the Strategic National Stockpile
  • manufacturing, authorization, and supply of COVID-19 tests
  • research work on COVID-19 vaccine and treatments
  • medical care and human services of the HHS

The supervision and enforcement activities of OIG include protecting HHS funds from suspicious activities, squandering and misuse as well as assuring transparent and conscientious spending of HHS. The released $251 billion funding by HHS in May 2020 for the COVID-19 response and recovery work will be reviewed by OIG whether if was managed according to program specifications and reporting requirements. It will look at reports of fraud and abuse that diverted COVID-19 funding from its intended purposes.

Cyberattacks on the HHS and medical organizations increased considerably during the COVID-19 crisis. Nation-states try to obtain sensitive data and intellectual property relevant to SARS-CoV-2 and COVID-19. OIG stated that cybercriminals can target systems used for the COVID-19 response to get sensitive data. It is hence crucial to sufficiently protect the IT infrastructure of HHS, and proactively determine and deal with vulnerabilities.

OIG will also evaluate the ability of the HHS to identify and deal with IT vulnerabilities. It will confirm cybersecurity risks and attacks on the HHS systems. OIG will assist the HHS in creating a secure and robust infrastructure.

Good practices learned {across|during} the COVID-19 pandemic will be used to enhance future HHS programs and get better at preparing for future public health emergencies.

New Data Breach Notification Law in Washington D.C. Takes Effect

The Washington D.C. data breach notification law’s recent changes became effective on May 19, 2020 . The changes announced in March considerably updated present breach notification conditions. Because the classification of data as personal information had a substantial expansion, breach notifications are warranted when the said personal information are subjected to unauthorized access. In addition, there are new data security requirements.

Before the change, it is required to send notifications when a breach involved exposure of personal information like names, telephone numbers, and addresses combined with a driver’s license number, Social Security number, credit/debit card number or DC ID card, or if breached information included numbers and codes that would permit access to credit or finance accounts.

The change added to the list several other data elements. Now, it is required to send breach notifications in case of exposure of any of the data listed below, even if there’s no name but the information may be employed for identity theft:

      • Medical facts
      • Medical insurance data
      • Genetic information and DNA profiles
      • Biometric data
      • Usernames or email addresses combined with a password or security questions with answers that could permit account access
      • Passport numbers
      • Military ID numbers
      • Taxpayer ID numbers
      • Other unique ID numbers issued by the government

The D.C. Attorney General’s office should be informed in case of a breach that involves the information of over 50 D.C. residents. The breached entity must issue notifications without unreasonable delay as much as possible. Just like in the state of California, breach notifications are now required in connection with the compromise of the abovementioned information.

The breached entity should also provide free identity theft protection services for a minimum of 18 months to breach victims when their Social Security numbers or taxpayer ID numbers were exposed.

The update furthermore requires all businesses that gather, retain, or process the personal data of D.C. locals to employ and keep reasonable measures to protect personal data. The policies, procedures, and tactics must show the nature and capacity of the entity. In the event that the entity forms a partnership with third-party companies, there must be a service agreement between the two entities to confirm that the third party has reasonable safety standards to protect the confidentiality, availability and integrity of personal data accessed.

There is no need to send breach notifications if the breach involved encrypted data except if the same can be decrypted. Breach notifications are not necessary as well if the breached entity, together with the D.C. Attorney General, finds low risk of harm.

HIPAA-covered entities that comply with the HIPAA Breach Notification Rule are considered compliant with the new breach notification requirements. However, they still need to inform the D.C. Attorney General in case of a data breach. This also applies to entities covered by GLBA and complies with it.

Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit

The Indiana Court of Appeals reinstated the respondeat superior claim of a patient who sued Parkview Health System Inc. after a medical assistant accessed her medical records and shared the sensitive information with another individual.

Haley SoderVick filed legal action against the Parkview Health System after she was informed that a medical assistant had accessed her medical information and gave the data to her then-husband. The medical assistant’s husband posted a picture on Facebook that SoderVick liked.

SoderVick visited Parkview Health in October 2017 and went through a medical exam in the OB/GYN department. While she was there, the medical assistant, Alexi Christian accessed her medical records.

Christian sent a text to her husband details about SoderVick, saying she was a patient at the medical facility, shared a potential diagnosis, and shared with her husband that SoderVick was a dispatcher. She additionally said to her husband that SoderVick was HIV-positive and had had about 50 sexual partners, even though both statements were false and that information was not taken from her medical document. Christian stated she was concerned her husband may have known Sodervick when she had liked his posting, and wished to know whether her husband, Caleb Thomas, had had a sexual connection with SoderVick.

The SMS were later read by Thomas’ sister who borrowed Thomas’ mobile phone. She notified Parkview Health about the HIPAA violation and forwarded the SMS, which an investigation that resulted in the dismissal of Christian for the HIPAA violation.

After being informed regarding the HIPAA breach, SoderVick filed a case claiming Parkview health was vicariously responsible for the actions of Christian, that the healthcare organization was negligent for not providing proper training and oversight, and alleged Parkview Health violated its statutory and common-law responsibilities of data protection and privacy as mandated by HIPAA.

Parkview Health asked summary judgment on the statements, which were eventually granted. The trial court determined that Christian’s texts to a third party, whether they comprised truthful data or untrue data about SoderVick, obviously fell beyond the extent of her work with Parkview and, so, Parkview is not vicariously responsible for these acts.

SoderVick appealed the respondeat superior claim and got a majority decision of reversal in the Court of Appeals. In its motion for summary judgment, Parkview asserted there was no real issue of material fact regarding whether Christian was performing in the range of her employment. The COA found that there is a real issue of fact on the range of employment concern; particularly, there is a subject of fact as to whether Christian’s behavior was incidental to accepted employment routines. Therefore, the trial court made a mistake in approving summary judgment favoring Parkview on the respondeat superior claim. That portion of the order was reversed, and there was a remand for further proceedings.

Tornado Hit at STAT Medical Record Facility Compromised Patient Medical Records

A peculiar data breach at STAT Informatics Solutions, LLC in Waupaca, WI affected lots of healthcare organizations. STAT is the provider of secure medical records services to a couple of healthcare organizations. The services include scanning and saving of paper files in the medical record systems.

On March 3, 2020, a tornado struck a STAT center located in Lebanon, TN. This caused the sizeable ruin of the building as well as a section of the records retained in the property. STAT sent notifications to all affected clients immediately and personnel from those healthcare organizations visited the area to help find and keep the medical records safe within the building.

To regulate the probability of unauthorized access, STAT built a high fence around the perimeter of the building as they find and secure the medical documents. To keep unauthorized persons from going into the building, two security guards were designated to be on site round the clock.

The majority of the medical documents were acquired from what was left of the building, nevertheless the records were determined to be useless and were safely disposed of.

Although it’s likely that unauthorized individuals have viewed some paperwork connected with patients, there’s no proof that there was unauthorized access. STAT is convinced that patients would have no risk of financial harm. However, as a safety provision, patients whose medical records were kept in the building received breach notification via mail and will have credit monitoring services for free.

The medical records stashed at the STAT center included different types of information such as complete names, birth dates, addresses, Social Security numbers, medical record numbers, nursing and doctor notes, medical photos, diagnoses, laboratory test data, prescribed medications, account numbers, and other information typically listed in medical records.

The healthcare businesses that affirmed being affected by the occurrence are the following:

  • Poplar Bluff Regional Medical Center, MO (1,619 records)
  • Commonwealth Health Moses Taylor Hospital, PA (1,905 records)
  • Commonwealth Health Wilkes-Barre General Hospital, PA (518 records)
  • Bayfront Health Port Charlotte, FL
  • Bayfront Health Punta Gorda, FL

Survey Unveils State of Workplace Safety and Preparedness in Healthcare

Rave Mobile Safety already released the findings of its annual survey of workplace safety and preparedness conducted early this year. The report examines the emergency preparedness level in healthcare and other sectors throughout the United States. It must be taken into account that the survey was held prior to the declaration of the COVID-19 public health emergency, which most probably prompted a change in priorities in a lot of organizations.

Workplace Safety in 2020

The coronavirus pandemic highlighted the importance of effective communication during emergencies, however, the survey indicates other important reasons for enhancing safety and communication in the place of work. The last time the survey was conducted in 2019, 26 respondents reported incidents of violence in the place of work. This year, those who have encountered violence in their place of work has increased twofold.

The survey revealed that employees are now more conscious about safety. 58% of survey participants mentioned they would submit a safety issue report in the workplace irrespective of whether it could be done anonymously or not; nonetheless, 41% of Gen Z and millennials would just report safety issues when it is done anonymously. This indicates that 18-29-year olds are worried that voicing safety issues would have negative effects.

Although the majority of employers have designed emergency programs, many aren’t performing drills. For instance, 76% of companies have emergency plans for dreadful weather situations, but only 40% performed drills to practice their response in case of an event, although 48% of survey respondents said they had encountered a severe weather condition in the past year. The majority of organizations have created emergency programs for cyberattacks, however, 51% of survey respondents stated drills were not performed to test out those plans. Nearly 30% of employees were uncertain or not aware of their employer’s emergency plans. The least informed were the 18-29-year olds.

Emergency Communications

The variety of methods employed to communicate with workers in emergency cases has grown in 2020. Email continues to be the most popular means of communication and 63% of organizations use it to communicate crisis facts, however, communication means such as mass text messaging have gone up in popularity. Mass texting is currently used by 42% of firms represented in the survey, even though many still depend on out-of-date communication tactics like in-person announcements, which leave out remote workers.

The survey showed that employers are likely to stay with dated communication methods, although employees would like to receive notifications regarding safety and security using a more speedy and easily accessible system, like mass SMS.

Emergency Communication in the Health Industry

The survey disclosed a substantial percentage of healthcare workers were not aware of emergency plans for events like system failures (22%) and active shooters (16%). Whenever there are emergency cases, email was the most frequent way of communication, employed by 65% of healthcare organizations. Intercom systems were additionally frequently used (50%) together with in-person announcements (44%). Although these may be useful on site, they are not effective for speaking with remote workers, who would prefer to get notifications through text message, but only 41% of healthcare companies are using mass text message notifications in emergency conditions. The survey additionally revealed gaps in safety protocols, with 80% of healthcare employees not required to do a safety check-in when working off-site.

The full results of the Annual Workplace Safety and Preparedness Study is available on this link.

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Ann & Robert H. Lurie Children’s Hospital of Chicago fired an employee for incorrectly accessing the medical records of patients without authorization for 15 months.

The hospital identified the privacy violations on March 5, 2020 and immediately terminated the employee’s access to hospital systems while conducting the investigation. After going over access logs, the hospital discovered that the employee had viewed the medical records of 4,824 patients without permission from November 2018 to February 2020.

The worker accessed the following types of information: names, dates of birth, addresses, diagnoses, prescribed medicines, visits, and medical procedures. There was no health insurance details, financial data, or Social Security numbers accessed.

There was no reason given as to why the employee accessed the medical records. But the hospital states it believes the employee did not acquire, misuse, or disclose the information to anybody else. The hospital also stated the employee is no longer employed at the hospital.

This is not the first data breach of its type to happen at Lurie Children’s Hospital. There was a similar incident discovered in November 2019. That time, the hospital discovered that a previous employee accessed patient medical records without permission from September 2018 to September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Recently, Mercy Health also took action against an employee for alleged violations of the HIPAA Privacy Rule. Hackley Hospital in Muskegon, MI terminated a nurse on April 3, 2020. The termination happened shortly after the nurse brought up concerns in media interviews regarding the hospital’s level of preparedness for the COVID-19 crisis and how the alleged insufficiency of preparedness put safety at stake. The nurse called the Michigan Nurses Association Labor Union, which said that Mercy Health dismissed the nurse for talking publicly. The Labor Union additionally filed a case with the National Labor Relations Board.

A Labor Union press release issued on April 21, 2020 stated that the termination of Howe on April 3 happened after he had publicly raised concerns concerning the shortage of suitable PPE and the need for improving the screening procedures to protect the nurses and healthcare workers during the COVID-19 pandemic.

10 days following the nurse was dismissed, and one day after the Labor Union’s press release, Mercy Health made a press release stating that the nurse was dismissed because of multiple violations of HIPAA Rules. Mercy Health stated it does not normally share information about job concerns related to its workers but was forced to speak out because of the “misinformation campaign” started by the Labor Union.

Mercy Health states that the nurse, Justin Howe, was dismissed for accessing the medical records of patients over a period of a couple of days. The records were not for patients getting treatment at the area where Howe worked and there was no legit work reason for using those data. Mercy Health states that Howe was not the only nurse dismissed for the improper access of medical records.

As per Mercy Health’s press release, the hospital is monitoring inappropriate access to privileged records. Mr. Howe and others were fired for the same. This investigative effort is still in the works.