HITECH

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , ,

Cybersecurity Attack on Anthem, Inc. Highlights the Cybersecurity Risks for All Companies Handling Electronic Medical Records

Posted by Gregory M. Fliszar on February 09, 2015
cyberattacks, cybercriminals, cybersecurity, FBI, Healthcare, HIPAA, HITECH / No Comments

Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29th and contacted the FBI, which has started an investigation into the matter.

Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”

Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.

The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.

If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at [email protected].

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

“LoProCo”, 12,915 Complaints, and Other Lessons from OCR/NIST

Posted by Ryan Blaney on September 26, 2014
ACA, CMS, HHS, HIPAA, HITECH, Privacy / No Comments

 

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

  • Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
  • According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
  • Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
  • Since 2009, consumer complaints regarding HIPAA violations continue to rise.
  • Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
  • Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
  • Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
  • OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , , , , , ,

CMS and ACOs: A Busy Summer and a Busier Fall

Posted by Chris Raphaely on August 05, 2014
ACA, Accountable Care Organizations, Affordable Care Act, HIPAA, HITECH, Medicare, Privacy / No Comments

 

It has been a busy summer so far for the Centers for Medicare & Medicaid Services (CMS) with respect to Accountable Care Organizations (ACOs), as the agency has proposed altering the quality reporting measures under the Medicare Shared Savings Program (“MSSP”) for 2015 and beyond.  Expect an even busier fall as other, potentially broader, proposed rule changes for ACOs are analyzed by the Office of Management and Budget (OMB) and both sets of proposals wind their way through the public comment process.

The proposed changes concerning quality reporting would revise and update the measures used to evaluate MSSP ACOs’ performance. Overall, the CMS says it would like to focus more on outcome-based measures (as opposed to process-based measures), reduce duplicative measures, and reflect current clinical practices without increasing ACO’s reporting burden.

More specifically, the CMS proposes to add 12 new measures and remove eight, which would increase the total number of quality measures from 33 to 37. The new measures relate to “avoidable” admissions for patients with multiple chronic conditions, heart failure, and diabetes; depression readmission; readmissions to skilled nursing facilities; patient discussion of prescription costs; and updated composite measures for diabetes and coronary artery disease.

The CMS would like to modify the scoring system to award bonus points toward shared savings to ACOs that make year-over-year improvements on individual measures. Moreover, the agency would like to modify its benchmarking methodology to use flat percentages to establish the benchmark for a measure when the national FSS data results in the 90th percentile being greater than or equal to 95 percent. And, finally, the CMS proposes several ways to align MSSP reporting requirements with other reporting programs, including Medicare’s Electronic Health Records Incentive Program and the Physician Quality Reporting System.

Fewer details are available about the next set of proposed rules changes, which were submitted to OMB on June 26 and will be printed in the Federal Register after review. It is expected that these regulations will include changes to the MSSP’s payment provisions. The proposed changes would apply to existing ACOs and approved ACO applicants starting January 1, 2016. As soon as the text of the rule becomes publicly available, the Health Law Informer will provide more information.

Chris Raphaely

Chris Raphaely

R. Christopher Raphaely joined Cozen O'Connor's Philadelphia office in 2014 as co-chair of the Health Care Practice Group. Chris joins the firm from Jefferson Health System, where he served as deputy general counsel and general counsel to the system’s accountable care organization and captive professional liability insurance companies.

More Posts

Tags: , , , , ,

Recent OCR Reports Illustrate Past and Future Compliance and Enforcement Efforts

Posted by Ryan Blaney on July 29, 2014
HIPAA, HITECH / No Comments

Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?

Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report).  In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012. Continue reading…

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , , , , ,

THE CLOCK IS TICKING: Covered Entities, Business Associates and Subcontractors Have Until September 23, 2013 to comply with Updated HIPAA Regulations

Posted by William P. Conaboy Jr. on June 27, 2013
HIPAA, HITECH / No Comments

As we’ve discussed in previous articles,[1] and as you are no doubt aware by now, the Health Insurance Portability and Accountability Act (HIPAA) recently received a significant facelift.  In addition to extending direct liability to business associates and subcontractors, the updated HIPAA regulations (Updated Regulations), which were authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH), contain many new provisions to address growing privacy concerns for the increasing amount of protected health information (PHI) stored on electronic media.  Covered entities and their business associates and subcontractors must comply with the Updated Regulations by September 23, 2013.  In order to help you prepare for the September 23, 2013 compliance deadline, this article (1) explains the difference between two important compliance deadlines contained in the Updated Regulations, (2) suggests a 5-step process to efficiently update and/or create compliant HIPAA policies and procedures, and (3) discusses a few observations we’ve made as we’ve helped our clients prepare for the September 23, 2013 compliance deadline. Continue reading…

William P. Conaboy Jr.

William P. Conaboy Jr.

Bill Conaboy is an associate in the firm’s Healthcare Law Group. Prior to working with the firm Bill earned a Doctor of Pharmacy degree (Pharm D), and is currently a licensed pharmacist and attorney in both Pennsylvania and New Jersey. Bill focuses on regulatory and litigation matters related to many areas of healthcare law.

More Posts - Website

Follow Me:
TwitterLinkedIn

Tags: , , , ,

Highlights of the Omnibus HIPAA/HITECH Final Rule

Posted by Kate Layman on March 12, 2013
Affordable Care Act, HIPAA, HITECH / No Comments

On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) published the long-awaited omnibus final regulation governing health data privacy, security and enforcement (Omnibus Rule).[i]  The Omnibus Rule is a group of regulations that finalizes four sets of proposed or interim final rules, including changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act[ii] and proposed in 2010;[iii] changes to the interim final breach notification rule;[iv] modifications to the interim final enforcement rule; and implementation of changes to the Genetic Information Nondiscrimination Act of 2008 (GINA).  The Omnibus Rule goes into effect on March 26, 2013, and compliance is required by September 23, 2013.  As expected, the Omnibus Rule did not finalize the May 31, 2011 proposed regulation regarding accounting for disclosures. Continue reading…

Kate Layman

Kate Layman

Kate Layman is a member of the firm and practices in the Health Law Group. Her practice includes compliance and regulatory advice, often in connection with ongoing litigation or transactions. Kate has significant experience in HIPAA and related privacy issues as well as application of the Medicare Secondary Payer Act with respect to non-group health plans.

More Posts - Website

Tags: , , , , , ,

Taking Aim in 2013: The Government Points Two Barrels at Preventing and Punishing Healthcare Fraud and Abuse

Posted by William P. Conaboy Jr. on November 16, 2012
Affordable Care Act, Fraud and Abuse, HIPAA, HITECH, Medicaid, Medicare / No Comments

A few weeks ago we posted on this Blog an article highlighting the “gathering storm” surrounding HIPAA enforcement and predicted an ominous future for hospitals and other providers who fail to develop and maintain adequate HIPAA compliance policies.  While there is no doubt the future is bleak for those unwilling to abide by HIPAA’s mandate, the forecast for providers who commit healthcare fraud is equally devastating.  This is because, in 2013, the federal government will attack healthcare fraud from two angles. First, the Office of Inspector General (“OIG”), per the terms of its 2013 Work Plan (“Work Plan”), will review many of the government’s anti-fraud efforts to maximize recovery of Medicare and Medicaid overpayments.  Second, many of the new anti-fraud provisions in the Affordable Care Act (“ACA”) will kick into high gear now that the result of the presidential election has guaranteed the law’s survival. Continue reading…

William P. Conaboy Jr.

William P. Conaboy Jr.

Bill Conaboy is an associate in the firm’s Healthcare Law Group. Prior to working with the firm Bill earned a Doctor of Pharmacy degree (Pharm D), and is currently a licensed pharmacist and attorney in both Pennsylvania and New Jersey. Bill focuses on regulatory and litigation matters related to many areas of healthcare law.

More Posts - Website

Follow Me:
TwitterLinkedIn

Tags: , , , , ,

HIPAA Enforcement – The Gathering Storm Has Arrived

Posted by Gregory M. Fliszar on October 16, 2012
HIPAA, HITECH, Medicaid, Medicare / No Comments

Since the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules became effective in April 2003, there has been minimal enforcement activity by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”).   However, this has changed dramatically over the last two years, as evidenced by some recent high-profile and high-penalty enforcement actions taken by OCR.  In addition to being concerned about OCR investigations, moreover, covered entities and business associates must also be on the alert for enforcement actions by state Attorney Generals, potential class action lawsuits, and OCR’s HIPAA audit program. Continue reading…

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , ,