Full Service Law Firm in Mt. Laurel Township, NJ | Capehart Scatchard

Cyber security

View OTHER BLOGS
  • Articles

Third-Party Vendor’s Breach leads to Medical Practice’s $400,000 Settlement Payment Under HIPAA and New Jersey Consumer Fraud Act

The Attorney General of New Jersey and the New Jersey Division of Consumer Affairs (“Division”) have announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians affiliated with more than fifty southern New Jersey medical and surgical practices, has agreed to pay over $400,000 and enter into a corrective action plan, to resolve allegations by the Division related to a vendor’s data breach. The Attorney General, in its capacity as enforcer of both the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA), alleged that VMG failed to conduct a thorough analysis of the risk to the confidentiality of electronic protected health information (“ePHI”) sent to its third-party vendor and that its failure to implement security measures to reduce that risk violated HIPAA’s Security Rule.

The third-party vendor, a Georgia medical transcription service, subcontracted to a company in India, which unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website (“FTP Site”), allowing the FTP Site to be accessed without a password.  As a result, the sensitive documents became publicly available via a Google search of terms contained within the transcriptions.  Even after the password protection was restored, Google retained cached indexes of the files, which remained publicly accessible on the Internet until removed over one month later. VMG apparently had a HIPAA Business Associate Agreement in place that required the Georgia transcription service to similarly bind subcontractors and to notify VMG of any security incidents.  But VMG was unaware of the India subcontractor and was not advised of the security incident within the contractual timeframe.

The Division alleges that, at the time of the incident, VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the breach, including:

  • Failing to implement a workforce security awareness and training program;
  • Delaying in identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome;
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of the electronic PHI maintained on the FTP Site;
  • Improperly disclosing the PHI of its patients; and
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The Division also alleged that the public exposure of the ePHI of at least 462 patients (ultimately VMG notified over 1,500 potentially affected patients), and VMG’s violations of HIPAA, constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. See the Division press release here.

Medical practices and other healthcare providers that are covered entities under HIPAA should take heed.  Although it was a third-party vendor that caused the breach, VMG was held accountable by the Division because it was VMG’s patient data and their responsibility to protect it, and because the Division’s position was that VMG should have conducted a risk assessment of its Business Associate and implemented necessary safeguards. Another warning:  It could be the State Attorney General, not the federal Office for Civil Rights, who investigates and prosecutes you for HIPAA violations, whether yours or those of your vendors.  As the Division Director has warned: “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”

Third-party risk in the HIPAA realm is a focus of the upcoming free seminar: “Practical Steps and Expert Advice to Consider When Implementing an Enterprise Risk Management Plan – Financial Management and Human Resources“ being held on Thursday, April 26th at the Indian Cultural Center in Marlton, New Jersey.

  • Articles

Cyber Risk Is Not Going Away

In a future that has become more ambiguous than ever, some things are certain. Businesses, including health care entities, will increasingly rely on data and technology in order to conduct their business.  Data containing personal information will continue to be valuable.  The risk of liability for those holding that data will remain, whether the enforcer is at the federal or state level in a regulatory action, or a private citizen filing suit.  Safeguarding data against cyber-attacks and other impermissible disclosures must continue to be a priority for those who use and share data.

In the healthcare world, HIPAA compliance is key.  An example is the November 22nd settlement between the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the University of Massachusetts Amherst (UMass). The settlement includes a corrective action plan and a monetary fine of $650,000 (which would have been more had UMass not been operating at a financial loss in 2015). The trigger for the enforcement action was a UMass workstation that became infected with a malware program, resulting in the wrongful disclosure of electronic protected health information (ePHI) of 1,670 individuals. The malware was a generic remote access Trojan that infiltrated the UMass system, providing unauthorized access to ePHI because UMass did not have a firewall in place.  OCR’s investigation found that UMass failed to conduct an accurate and thorough security risk analysis, failed to have adequate policies and procedures in place, and failed to implement technical security measures.

For healthcare entities and those who handle their data, HIPAA compliance not only is required by law, it is still the most certain way to protect against, prepare for, respond to, and mitigate the effects of a cybersecurity incident.

On Tuesday, December 13, 2016, from 7:30 a.m. to 12:30 p.m., Denise L. Sanders, Esq., will participate in the seminar “Cybercrime:  Facts, Threats, and Countermeasures,” held at Rowan University and hosted by Avasek.  The seminar includes presentations by Mike Geraghty, Director, NJ Cybersecurity & Communications Integration Cell; Philip Frigm, Supervisory Special Agent, FBI Newark Division; and Lt. Cy Bleistine, NJ State Police, Cyber Crimes Unit; along with David Humphreys, Avasek.  As part of an expert panel, Ms. Sanders will address HIPAA and HITECH compliance by healthcare providers facing cybersecurity threats.  To register, please click here.

  • Articles

It’s Not Just Ransomware – It’s a Breach!

Ransomware.  It’s in the headlines, but what is it?  Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) provided a layperson’s description:

Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

The description is included in a Fact Sheet on Ransomware and HIPAA (the Health Insurance Portability and Accountability Act), containing OCR’s guidance to healthcare entities on how to guard against ransomware and how to respond to a ransomware attack. The Fact Sheet notes that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 1,000 daily ransomware attacks reported in 2015.  And these are only the reported attacks.

The Fact Sheet provides extensive and detailed guidance on how entities subject to HIPAA should be protecting against ransomware. If safeguards have been put in place as required by HIPAA, ransomware should be less likely to occur and less likely to be devastating to an entity.  But of note in the guidance is the discussion of what else ransomware can be—a breach.  Specifically, a breach of protected health information (PHI) that must be reported as required under applicable law.

The scenario set forth by the OCR is where a laptop, encrypted with a full disk encryption solution, is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware. If full disk encryption is the only encryption solution in use to protect the PHI, and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted to the hacker with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus constituted “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.  In that case, the victimized entity must conduct the required assessment to determine if breach notification must be provided to all affected persons and to applicable authorities.

The OCR’s analysis (and the U.S. Government Interagency Guidance Document, referenced here in How to Protect Your Networks from Ransomware) should be heeded by any business that holds personal information in electronic form. That’s because state identity theft prevention laws, as well as certain federal laws, apply to such businesses. And those laws contain security mandates and breach notification obligations similar to what is required of healthcare entities under HIPAA.

Ransomware is a formidable challenge and potentially devastating to a business.  And breach notification is usually a substantial and costly undertaking.  All businesses—not just healthcare entities—that maintain personal information in electronic form, should take the threat of ransomware seriously and implement the necessary policies, procedures and technical safeguards to guard against it.  The OCR’s guidance can be found on the ransomware fact sheet.

Capehart Blogs

Litigation Blog
Equitable Tolling Does Not Apply to Claims Against Public Entities Under the Tort Claims Act’s Statute of Limitations
Firm News
Firm Launches 2026 Summer Law Clerk Program
Firm News
Capehart Scatchard Presents 27th Annual Blaine E. Capehart Writing Award to Rutgers Law Graduate

Equitable Tolling Does Not Apply to Claims Against Public Entities Under the Tort Claims Act’s Statute of Limitations

Snow Tubing is the Equivalent of Skiing Under the New Jersey Ski Act

Appellate Division Upholds Finding of HIB for Comments Made in Snapchat Group Chat

Subscribe to Blog Updates

Categories

Tags
Alternative Energy Alternative Energy - Solar Alternative Energy - Wind Appellate Division automobile accident automobile insurance Burlington County Bar Association Cannabis Law Charity constructive notice coverage data privacy dismissal Diversity & Inclusion Diversity & Inclusion Committee duty of care employees employers Employment Law evidence insurance Liability Litigation Litigation Quarterly Lorman Millennium Seminars NBI negligence New Jersey Workers' Compensation Act New York Law NJ Law notice Open Public Records Act Pennsylvania Law personal injury Public Entity Newsletter Real Estate and Land Use school law slip and fall statute of limitations summary judgment Tort Claims Act trip and fall Workers' Compensation Workers' Compensation Newsletter