MedStar, a Washington, D.C.-area hospital chain, became the latest healthcare industry victim of a cyber-attack when hackers breached its systems with a crippling virus. MedStar operates 10 hospitals in the D.C./Baltimore region, employs 30,000 staff, has 6,000 affiliated physicians, and serviced more than 4.5 million patient visits in 2015.

After being paralyzed by the virus, MedStar’s entire IT system for its 10 hospitals was forced to shut down and revert to paper records. The chain’s approximately 35,000 employees do not have access to emails and cannot look up digital patient records in the attack’s wake. The FBI is assisting the chain by investigating the incident. It’s unclear at the moment whether or not the hackers are demanding ransom from MedStar in exchange for removing the virus.

Monday’s cyber-attack at MedStar comes weeks after Hollywood Presbyterian Medical Center in Los Angeles paid hackers 40 bitcoins, or about $17,000, to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hackers increasingly target healthcare entities as security protections in healthcare often lag behind those in banking and financial sectors. Healthcare information contains a treasure trove of patients’ personal information, and a complete healthcare record is worth at least ten times more on the black market than credit card information. Also, hospitals are considered critical infrastructure that cannot reasonably be closed or incapacitated for any great length of time, and so may be more inclined to bowing to hackers’ demands for ransom.

This latest attack just goes to show the importance of cybersecurity at hospitals and other healthcare entities. In addition to the recent Hollywood Presbyterian Medical Center attack, data breaches and cyber-attacks have also recently occurred at Excellus Blue Cross Blue Shield, UCLA Health System, Premera Blue Cross, and Anthem Inc.

For more information, please contact Dana Petrillo, or another member of Cozen O’Connor’s Health Law team.

On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that Continue reading…

In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.

Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:

•  The Physician Group did not conduct “an accurate and thorough” risk assessment;
•  The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
• This is a notable fine for a Physician Group of less than 20 physicians.

For more information regarding this incident and HIPAA compliance, including the importance of encryption and risk assessments, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

• Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
• According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
• Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
• Since 2009, consumer complaints regarding HIPAA violations continue to rise.
• Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
• Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
• Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
• OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?

Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report).  In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012. Continue reading…

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not the only government arm that enforces data breaches. The Federal Trade Commission (FTC) has broad authority to regulate the security of consumer information and hold companies liable for a failure to use adequate data security practices. In August 2013, the FTC targeted LabMD, a medical testing laboratory, which maintains personal financial and health information for nearly one million consumers. The FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which resulted in the data of thousands of consumers being leaked on to the peer-to-peer file-sharing network LimeWire, the black-market and in the hands of illegal data brokers.

Until recently the FTC enforced its breach authority under the Act without pushback, so a company facing allegations would simply settle. However, LabMD became the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority). LabMD attempted to stop the investigation by filing appeals to federal district and appellate courts and the FTC. The appeals were based primarily on two arguments: (i) the FTC does not have the statutory authority to set data security standards for companies; and (ii) LabMD is already subject to the OCR’s enforcement authority under HIPAA’s security regulations, so it should not also be subject to the FTC’s enforcement authority.

Despite LabMD’s best efforts, two Eleventh Circuit judges refused to intervene before the FTC issued its final order, the FTC rejected LabMD’s motion to dismiss and it moved forward with the administrative proceedings. However, LabMD continues to fightback. Recently, LabMD filed a motion to dismiss with the FTC, and contended that the FTC had not proven that the data breach caused injury, specifically, that it did not present evidence that there was substantial harm or likely to be substantial harm to consumers as a result of the breach.

During trial, Michael Daugherty, CEO of LabMD, testified that the effect of the FTC’s allegations and subsequent probe has placed the company in a “very deep coma” and that he “can’t understate how damaging and confusing and sideswiping [the matter is] to the attitude, energy and morale of [LabMD’s] management staff.”

Interestingly, the trial has been on recess since May 30 when the administrative law judge delayed the proceeding until June 12 in response to an announcement that the House Committee on Oversight and Government Reform was investigating Tiversa Inc., the cyber-intelligence firm that played a central role in the FTC’s case against LabMD. In a separate lawsuit, LabMD is alleging that Tiversa provided the FTC with patient information files that it stole from LabMD.

When trial resumes on June 12, the focus will continue to be on whether LabMD’s data security standards that it used to protect consumers’ personal information were reasonable. It will be interesting whether developments from the Tiversa investigation impact the outcome of the trial. For more information about this proceeding go to the FTC website.

Practice Tip: Ensure that your security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may lead to enforcement actions by the OCR and the FTC.

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled for the collective amount of $1,975,220 with Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA). The settlements stem from OCR investigations in 2011 and 2012 related to each of the companies reporting a single stolen laptop; Concentra also had a laptop stolen in 2009.

In its press release, HHS stated that after further investigating Concentra it found that Concentra was aware prior to the most recent laptop theft that not all of its laptops, desktop computers, medical equipment, tablets and other devices that contained ePHI were encrypted. But despite Concentra’s discoveries as a result of risk analyses that it had conducted, it failed to remedy the critical risks and did not encrypt all of the devices. OCR also found that Concentra had insufficient security management processes. OCR’s investigation of QCA revealed that in addition to the unencrypted laptop, QCA failed to comply with numerous HIPAA privacy and security requirements for several years.

Susan McAndrew, OCR’s Deputy Director of Health Information Privacy, reiterated the significance of encryption and the obligations of covered entities and business associates to adequately secure mobile devices when she stated that OCR’s message to covered entities and business associates is simple: “encryption is your best defense against these incidents.” Ms. McAndrew’s statement is significant and a shift from the view that although security is an obligation, encryption is not required under the HIPAA Security Rule. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices.

Concentra has agreed to pay HHS a monetary settlement of $1,725,220 and QCA has agreed to pay $250,000. Both entities have also agreed to each undertake a corrective action plan (CAP),  which CAPs include risk analyses, development of risk management plans, policy and procedure revisions, staff training and certification of staff training. Concentra’s CAP contains more onerous requirements, including the continued submission of additional documents, reports and encryption status updates to HHS. Concentra’s CAP may be more extensive than QCA’s because it already had a laptop that contained ePHI stolen in 2009 and because it failed to remedy the encryption issue it discovered during the risk analyses it performed prior to the second laptop being stolen. OCR also noted that QCA did encrypt its devices after the laptop was stolen and it discovered the breach.

For more information about the settlements and the CAPs, see the Concentra Resolution Agreement and the QCA Resolution Agreement.

Practice Tip: Audit your encryption policies and practices for all mobile devices to adequately secure your company’s mobile devices.