MedStar, a Washington, D.C.-area hospital chain, became the latest healthcare industry victim of a cyber-attack when hackers breached its systems with a crippling virus. MedStar operates 10 hospitals in the D.C./Baltimore region, employs 30,000 staff, has 6,000 affiliated physicians, and serviced more than 4.5 million patient visits in 2015.

After being paralyzed by the virus, MedStar’s entire IT system for its 10 hospitals was forced to shut down and revert to paper records. The chain’s approximately 35,000 employees do not have access to emails and cannot look up digital patient records in the attack’s wake. The FBI is assisting the chain by investigating the incident. It’s unclear at the moment whether or not the hackers are demanding ransom from MedStar in exchange for removing the virus.

Monday’s cyber-attack at MedStar comes weeks after Hollywood Presbyterian Medical Center in Los Angeles paid hackers 40 bitcoins, or about $17,000, to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hackers increasingly target healthcare entities as security protections in healthcare often lag behind those in banking and financial sectors. Healthcare information contains a treasure trove of patients’ personal information, and a complete healthcare record is worth at least ten times more on the black market than credit card information. Also, hospitals are considered critical infrastructure that cannot reasonably be closed or incapacitated for any great length of time, and so may be more inclined to bowing to hackers’ demands for ransom.

This latest attack just goes to show the importance of cybersecurity at hospitals and other healthcare entities. In addition to the recent Hollywood Presbyterian Medical Center attack, data breaches and cyber-attacks have also recently occurred at Excellus Blue Cross Blue Shield, UCLA Health System, Premera Blue Cross, and Anthem Inc.

For more information, please contact Dana Petrillo, or another member of Cozen O’Connor’s Health Law team.

On July 23, 2015, the Third Circuit invalidated, as being contrary to the Medicare statute, the U.S. Department of Health and Human Services’ (HHS) Medicare wage index “reclassification rule,” 42 C.F.R. § 412.230(a)(5)(iii). That rule was designed to prevent (and did prevent) urban hospitals that had strategically reclassified as being rural from being reclassified again (based on their newly acquired rural status) to a particular urban area, to benefit from a higher Medicare standardized amount and wage index.

In Geisinger Community Medical Center v. Secretary United States Department of Health and Human Services, the hospital first reclassified, successfully, as a Section 401 hospital (i.e., an urban hospital that elects to be treated as rural). It then sought to reclassify, based on its newly acquired rural status, to the Allentown urban wage index area. The hospital estimated that such a reclassification would increase its Medicare reimbursements by approximately $2.6 million per year. The Allentown urban area is 27 miles from the hospital. To be reclassified to that area, the hospital had to rely on the relaxed 35 mile maximum distance applicable to rural hospitals; it would not qualify under the maximum 15 mile distance applicable to urban hospitals. The reclassification rule, however, prohibited Section 401 hospitals from reclassifying based on their acquired rural status.

The Third Circuit panel majority, under a Chevron Step One analysis, agreed with the hospital that HHS’ reclassification rule is unlawful. It specifically held that the statutory text of Section 401 unambiguously requires HHS, through broad and mandatory language, to treat Section 401 hospitals like hospitals that are actually located in rural areas. The reclassification rule, therefore, unlawfully prevented the Section 401 hospital from being considered as a rural hospital in its application to reclassify to a different wage index area.

Non-profit hospitals, and other owners of tax exempt properties in Philadelphia, must certify as to their eligibility for continued property tax exemption with Philadelphia’s Office of Property Assessment (OPA) by March 31, 2015.  Click here to view a Tax Alert on this issue.  With its deep experience in state and local tax issues, Cozen O’Connor is ready to help affected organizations navigate the complexities of the certification process.