The Other Shoe Drops on Vendor Business Associate; Includes Ban on Owner Doing Business in New Jersey

When a business entrusts its customers’ personal information to a third party, and that third party fails to properly protect the information, both entities may pay a price. Now, the New Jersey Attorney General has shown that the price can include a ban on a business owner ever again managing or owning a business in New Jersey.

As previously noted in this blog, ATA Consulting, LLC (“ATA”), a Georgia medical transcription service retained by Virtua Medical Group (“VMG”), had subcontracted VMG’s medical transcription work to a company in India. That company unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website, allowing the site to be accessed without a password.  As a result, some of VMG’s patient information became publicly available via a Google search of terms contained within the transcriptions.

VMG had a HIPAA Business Associate Agreement in place with ATA which, typically, would require ATA to comply with HIPAA’s Privacy and Security Rules and the federal Data Breach Notification Rule, and to bind its subcontractors to the same. The New Jersey Attorney General alleged that ATA failed to comply with many requirements of those laws and that each and every violation constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. Those violations involved the public exposure of information in 462 patient records, requiring notice to over 1,500 patients. While the settlement resolves the Attorney General’s allegations, it does not limit or otherwise affect private rights of action of anyone not a party to the settlement.  In addition to a $200,000 penalty (much of it suspended due to ATA’s financial condition), ATA’s owner is barred from managing or owning any business in New Jersey, an enforcement measure that shows the Attorney General’s aggressive stance against those who don’t take seriously their obligations regarding protected personal information.

Cybersecurity is not just about criminal hackers. When businesses assess their cybersecurity status and what measures they must take to protect customer and employee information, third-party risk from vendor relationships should not be overlooked. These measures will be discussed on November 29th at Alloy Silverstein’s 2018 Security Symposium: Threat and Crisis Management for the Modern Workforce, at the DoubleTree Suites in Mount Laurel, New Jersey.


Third-Party Vendor’s Breach leads to Medical Practice’s $400,000 Settlement Payment Under HIPAA and New Jersey Consumer Fraud Act

The Attorney General of New Jersey and the New Jersey Division of Consumer Affairs (“Division”) have announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians affiliated with more than fifty southern New Jersey medical and surgical practices, has agreed to pay over $400,000 and enter into a corrective action plan, to resolve allegations by the Division related to a vendor’s data breach. The Attorney General, in its capacity as enforcer of both the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA), alleged that VMG failed to conduct a thorough analysis of the risk to the confidentiality of electronic protected health information (“ePHI”) sent to its third-party vendor and that its failure to implement security measures to reduce that risk violated HIPAA’s Security Rule.

The third-party vendor, a Georgia medical transcription service, subcontracted to a company in India, which unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website (“FTP Site”), allowing the FTP Site to be accessed without a password.  As a result, the sensitive documents became publicly available via a Google search of terms contained within the transcriptions.  Even after the password protection was restored, Google retained cached indexes of the files, which remained publicly accessible on the Internet until removed over one month later. VMG apparently had a HIPAA Business Associate Agreement in place that required the Georgia transcription service to similarly bind subcontractors and to notify VMG of any security incidents.  But VMG was unaware of the India subcontractor and was not advised of the security incident within the contractual timeframe.

The Division alleges that, at the time of the incident, VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the breach, including:

  • Failing to implement a workforce security awareness and training program;
  • Delaying in identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome;
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of the electronic PHI maintained on the FTP Site;
  • Improperly disclosing the PHI of its patients; and
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The Division also alleged that the public exposure of the ePHI of at least 462 patients (ultimately VMG notified over 1,500 potentially affected patients), and VMG’s violations of HIPAA, constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. See the Division press release here.

Medical practices and other healthcare providers that are covered entities under HIPAA should take heed.  Although it was a third-party vendor that caused the breach, VMG was held accountable by the Division because it was VMG’s patient data and their responsibility to protect it, and because the Division’s position was that VMG should have conducted a risk assessment of its Business Associate and implemented necessary safeguards. Another warning:  It could be the State Attorney General, not the federal Office for Civil Rights, who investigates and prosecutes you for HIPAA violations, whether yours or those of your vendors.  As the Division Director has warned: “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”

Third-party risk in the HIPAA realm is a focus of the upcoming free seminar: “Practical Steps and Expert Advice to Consider When Implementing an Enterprise Risk Management Plan – Financial Management and Human Resources“ being held on Thursday, April 26th at the Indian Cultural Center in Marlton, New Jersey.


Opportunity Lost, Lesson Learned: OCR’s $3.2 Million Message to Children’s Medical Center

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced on February 1, 2017, that it imposed a $3.2 million civil money penalty against Children’s Medical Center of Dallas (“Children’s”) for impermissible disclosure of unsecured electronic protected health information (ePHI) and many years of non-compliance with multiple standards of the HIPAA Security Rule. What makes this case particularly painful is that it appears Children’s had many opportunities to mitigate its noncompliance–and to lessen the penalty–but failed to fully take advantage of those opportunities.

Eleven years ago, in 2006, one year after the HIPAA Security Rule took effect, Children’s retained a third party to conduct a security gap analysis and assessment. That assessment identified the absence of risk management as a major finding. The third party consultant recommended that Children’s implement encryption to avoid loss of ePHI on stolen or lost laptops. Recommendation not taken.

In 2008, Children’s engaged a different third party vendor to conduct a separate analysis of threats to ePHI. That vendor also determined that encryption was necessary and appropriate, and identified the loss of data at rest through unsecured mobile devices as being a high risk for Children’s. Although required by the HIPAA Security Rule, Children’s failed to document its decision to not implement encryption or any applicable rationale behind a decision to use alternative security measures.

Time passed. No encryption. You guessed it.

In January 2010, Children’s filed a breach report with OCR regarding the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport, exposing the ePHI of approximately 3,800 individuals.

In December 2010, a Children’s medical resident lost an iPod device that had been synched to the resident’s Children’s email account, resulting in the unencrypted ePHI of 22 individuals being placed on the device.

In 2012, OCR issued the findings of its audit of Children’s identifying, among other things, insufficient controls for devices, including smartphones and USB drives.

In July 2013, Children’s filed another HIPAA Breach Notification Report with OCR, reporting the April 2013 theft from its premises of an unencrypted laptop containing ePHI of 2,462 individuals. Although Children’s had implemented some physical safeguards to its laptop storage area (e.g., badge access and a security camera at one of the entrances), it had allowed janitorial staff unrestricted access to the area where the laptop with unencrypted ePHI was stored. Children’s internal investigation concluded that the laptop was probably stolen by a member of the janitorial staff.

OCR’s subsequent investigation of Children’s revealed lack of policies, lack of device and media controls, failure to implement risk management plans, contrary to prior external recommendations to do so, and failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 2013, when the laptop theft occurred. OCR noted that, despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

OCR issued a “Letter of Opportunity” to Children’s in May 2016, noting that OCR’s efforts to resolve the matter by informal means had been unsuccessful. In response, Children’s put forth a defense to OCR’s allegations but to no avail. By law, for violations occurring after February 2009, OCR could not impose a civil money penalty on Children’s if Children’s could establish to OCR’s satisfaction that the violations were not due to willful neglect and were corrected during the 30-day period beginning on the first date it knew, or, by exercising reasonable diligence, would have known that the violation occurred. However, Children’s had not made corrections of its violations within that timeframe.

In September 2016, OCR notified Children’s of its findings and the proposed penalty. OCR had considered as aggravating factors the amount of time that Children’s continued to use unencrypted devices, even after express recommendations of consultants and the OCR that encryption was necessary for ePHI security. The notification included instructions for requesting a hearing to challenge the proposed penalties. Children’s did not request a hearing.

On January 18, 2017, OCR issued a notice to Children’s that the full civil money penalty of $3.2 million was final.

Children’s did the compliant thing, back in 2006 and 2008, to conduct security risk assessments. Ignoring the results of such risk assessments is a common failure of HIPAA covered entities and their business associates. Children’s learned the hard way that not implementing recommended measures, such as failing to implement encryption and device controls, and not correcting violations that come to light, may seem like the right (or the economically sound) decision at the time, but can prove to be extremely costly in the end. Especially if you just keep doing it.

For advice on security risk assessments, policies and protocols, and corrective action plans for security violations, contact Denise L. Sanders, Esq., shareholder at Capehart Scatchard, who regularly advises healthcare providers and vendors on requirements of HIPAA Privacy and Security and federal and state Data Breach Notification rules.


Cyber Risk Is Not Going Away

In a future that has become more ambiguous than ever, some things are certain. Businesses, including health care entities, will increasingly rely on data and technology in order to conduct their business.  Data containing personal information will continue to be valuable.  The risk of liability for those holding that data will remain, whether the enforcer is at the federal or state level in a regulatory action, or a private citizen filing suit.  Safeguarding data against cyber-attacks and other impermissible disclosures must continue to be a priority for those who use and share data.

In the healthcare world, HIPAA compliance is key.  An example is the November 22nd settlement between the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the University of Massachusetts Amherst (UMass). The settlement includes a corrective action plan and a monetary fine of $650,000 (which would have been more had UMass not been operating at a financial loss in 2015). The trigger for the enforcement action was a UMass workstation that became infected with a malware program, resulting in the wrongful disclosure of electronic protected health information (ePHI) of 1,670 individuals. The malware was a generic remote access Trojan that infiltrated the UMass system, providing unauthorized access to ePHI because UMass did not have a firewall in place.  OCR’s investigation found that UMass failed to conduct an accurate and thorough security risk analysis, failed to have adequate policies and procedures in place, and failed to implement technical security measures.

For healthcare entities and those who handle their data, HIPAA compliance not only is required by law, it is still the most certain way to protect against, prepare for, respond to, and mitigate the effects of a cybersecurity incident.

On Tuesday, December 13, 2016, from 7:30 a.m. to 12:30 p.m., Denise L. Sanders, Esq., will participate in the seminar “Cybercrime:  Facts, Threats, and Countermeasures,” held at Rowan University and hosted by Avasek.  The seminar includes presentations by Mike Geraghty, Director, NJ Cybersecurity & Communications Integration Cell; Philip Frigm, Supervisory Special Agent, FBI Newark Division; and Lt. Cy Bleistine, NJ State Police, Cyber Crimes Unit; along with David Humphreys, Avasek.  As part of an expert panel, Ms. Sanders will address HIPAA and HITECH compliance by healthcare providers facing cybersecurity threats.  To register, please click here.


For Covered Entities and Business Associates, There Can Be No Such Thing as “HIPAA Lite”

It has been well over a decade since health care providers (and other HIPAA Covered Entities) started handing out their Notice of Privacy Practices as required by the HIPAA Privacy Rule. Patients have become so accustomed to the Notice that many never read it, even though signing that they have not only read it but understand it. The question is, when was the last time the provider’s Privacy Officer or the entity’s CEO read the Notice? Do key personnel understand the terms of the Notice? And does the provider comply with its own Notice, maintaining the policies and procedures that are represented in the Notice?

In smaller organizations, the practice manager often fills the role of Privacy Officer and Security Officer. HIPAA is just one of many regulatory burdens on the manager’s plate and it is probably not the highest priority. The same is true for HIPAA Business Associates who may or may not understand their substantial obligations under HIPAA and under those Business Associate Agreements they signed. So it is understandable that HIPAA compliance may have morphed into “HIPAA Lite,” with providers and their Business Associates hoping that what they have in place will suffice and that they will fly under the radar of the U.S. Office for Civil Rights (OCR).  This was much easier to do in past years, when OCR enforcement focused on advising and assisting with compliance and OCR lacked resources to do much more.

But times have changed. In recent months, the OCR has entered into resolution agreements with both Covered Entities and Business Associates that include the largest financial settlement obtained by OCR from a HIPAA-regulated entity ($5.55 million from Advocate Health Care Network for breaches involving its physician-led medical group). The Advocate settlement noted the extent and duration of noncompliance, in some cases dating back to the inception of the Security Rule in 2005.  OCR’s settlement with Catholic Health Care Services, a HIPAA Business Associate to skilled nursing facilities, imposed a $650,000 fine and a two-year corrective action plan focusing on Catholic’s lack of a risk analysis, risk management plan and at least fifteen mandated policies.

Expanding the scope of its enforcement efforts, OCR has also announced an initiative to more widely investigate the root causes of smaller breaches, i.e., those in which under 500 persons are affected and which are reported by Covered Entities on an annual basis. These smaller breaches will likely draw the OCR’s attention if they involve theft of or improper disposal of unencrypted PHI or involve unwanted intrusion into an IT system. Once the OCR starts investigating one aspect of HIPAA compliance, the door is open for it to look at the organization’s entire HIPAA and data breach compliance efforts.

Increasing your efforts to ensure HIPAA compliance is not easy.  Capehart Scatchard is offering a seminar to help Covered Entities and Business Associates be prepared when the OCR comes calling.


It’s Not Just Ransomware – It’s a Breach!

Ransomware.  It’s in the headlines, but what is it?  Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) provided a layperson’s description:

Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

The description is included in a Fact Sheet on Ransomware and HIPAA (the Health Insurance Portability and Accountability Act), containing OCR’s guidance to healthcare entities on how to guard against ransomware and how to respond to a ransomware attack. The Fact Sheet notes that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 1,000 daily ransomware attacks reported in 2015.  And these are only the reported attacks.

The Fact Sheet provides extensive and detailed guidance on how entities subject to HIPAA should be protecting against ransomware. If safeguards have been put in place as required by HIPAA, ransomware should be less likely to occur and less likely to be devastating to an entity.  But of note in the guidance is the discussion of what else ransomware can be—a breach.  Specifically, a breach of protected health information (PHI) that must be reported as required under applicable law.

The scenario set forth by the OCR is where a laptop, encrypted with a full disk encryption solution, is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware. If full disk encryption is the only encryption solution in use to protect the PHI, and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted to the hacker with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus constituted “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.  In that case, the victimized entity must conduct the required assessment to determine if breach notification must be provided to all affected persons and to applicable authorities.

The OCR’s analysis (and the U.S. Government Interagency Guidance Document, referenced here in How to Protect Your Networks from Ransomware) should be heeded by any business that holds personal information in electronic form. That’s because state identity theft prevention laws, as well as certain federal laws, apply to such businesses. And those laws contain security mandates and breach notification obligations similar to what is required of healthcare entities under HIPAA.

Ransomware is a formidable challenge and potentially devastating to a business.  And breach notification is usually a substantial and costly undertaking.  All businesses—not just healthcare entities—that maintain personal information in electronic form, should take the threat of ransomware seriously and implement the necessary policies, procedures and technical safeguards to guard against it.  The OCR’s guidance can be found on the ransomware fact sheet.


It’s Not Just About HIPAA: Patient Communications and a Lesson from the FTC

In a one-count complaint, the Federal Trade Commission (FTC) alleges that Practice Fusion, the country’s largest cloud-based electronic health records company, engaged in deceptive acts or practices under Section 5(a) of the Federal Trade Commission Act.  Specifically, the FTC alleges that Practice Fusion misled patients of its healthcare providers to believe they were sending messages to their physicians—including messages containing their health information—when, in fact, they were submitting them for content to be published on a public website.  The FTC enforcement action against Practice Fusion is sobering for those engaged in communications with what the FTC calls “healthcare provider customers.”

Practice Fusion has, for several years, provided “Patient Fusion,” an online patient portal to health care providers so patients could view or download their health information and transmit it to another provider, as well as send and receive secure messages with their providers.  Patient Fusion then expanded to acquire patient information for purposes of a public directory to include, among other things, patient reviews.  To obtain that information, Practice Fusion sent emails to the patients of their provider clients which some patients then used to link to a webpage asking them to provide reviews of their provider, including whether all of their medical concerns had been addressed.  The questionnaire advised patients to not provide personal information and also provided a check off where a patient could request that the review be kept anonymous.  Unfortunately, many patients misunderstood what they were agreeing to and how the information they provided would be used by Patient Fusion.

The FTC found Patient Fusion’s instructions and disclaimers inadequate and misleading.  According to the FTC complaint, patients who clicked on the five-star rating image in the email were linked to an online survey form with questions about their recent medical visit, including a text box where patients could enter any information they wished within a set character limit.  Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries intended for their physician.

To settle the case, Practice Fusion has agreed not to misrepresent the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information. It also must: 1) clearly and conspicuously disclose to the consumer – separate and apart from a privacy policy, terms of use page, or similar document – its intention to make the information public; and 2) get the consumer’s express affirmative consent.

While the terms of the settlement apply only to Practice Fusion, the FTC details the lessons to be learned by others in the healthcare provider customer industry:

If personal health information is involved, handle it with particular care.  Consumers are concerned about the confidentiality of their health information and they have good reason to be. Given what’s at stake, industry members are on notice of the need for caution.

Explain your intentions. Especially for new products and services, don’t assume that consumers share your expertise. Be straightforward in your explanation and use simple words to explain what you want to do with their data.

Get consumers’ express affirmative consent before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.

Disclosures should reach out and grab consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach, so here’s some FTC 101: If the disclosure of information is necessary to prevent deception, it must be clear and conspicuous. To the FTC, “clear and conspicuous” is a performance standard, not a font size. Chances are that fine print footnotes, dense blocks of text, jargon-filled doubletalk, or obscure hyperlinks won’t cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: Consider the same eye-catching methods you routinely use when you really want to grab a potential customer’s attention – graphics, color, big print, prominent placement, clear wording, etc.

Don’t bury key facts in a hard-to-understand privacy policy. You’ll want to read the complaint for the details, but after Practice Fusion started to collect consumer survey results for posting, it changed what it said in its Privacy Policy, but didn’t clearly disclose the information on the survey page itself. Of course, companies’ privacy policies and terms of use pages should be accurate and understandable, but relying on those pages as the exclusive means to convey critical details – for example, that you intend to post consumers’ sensitive health information publicly – is unwise.

The proposed settlement agreement is under review and the final terms will be the subject of a future post on this blog.  Clearly, the lessons noted above should be heeded by companies involved in the online solicitation and publication of any sensitive personal information from consumers, and appropriate policies and procedures developed and implemented.


Data Breach – Can You Win This War?

As a business owner or CEO, you know that information technology has become a key part of your operations.  But having an IT budget and finding the right employee or vendor for your IT needs—or what you think are your IT needs—will no longer suffice when it comes to privacy, security and data breach.  It isn’t just about IT anymore.  You cannot just point to the IT Department and check privacy and security off your list.  Keeping your company protected is the job of the C-suite to janitorial and everyone in between.

Many businesses are woefully unaware of the laws that apply to their collection, transmission, storage and disposal of personal information.  State and federal laws governing identity theft prevention impose certain requirements on all businesses and public entities, not dissimilar to what healthcare providers must meet under the widely-known HIPAA laws.  So, in addition to damage to reputation, and damage from lost data and downtime, you could be facing significant fines and lawsuits which, under Consumer Fraud Acts, could include treble damages.

As an initial inquiry, do you know what types of private data your organization holds?  Employee data, health data, customer data, and financial data, including payment card data, are the most common.  Do you know who in your organization has access to this data and should they? Can you track their access?  Who specifically is responsible for the different components of your privacy and security program and are they performing according to company policy (if you have one)?  Who from outside of your organization is given access to your data?  Are you abiding by your contractual obligations related to privacy and security and are your vendors abiding by their obligations to you?

What are the greatest risks to your data? Hacking grabs the headlines, but often employee error and even improper disclosure or destruction of paper records can result in breaches and fines, too.  What are your best options for protecting against your greatest risks? Encryption and other technology solutions are important.  But simply training your employees on the risks, and on your company’s policies, is a basic protection and is often a mandate of state and federal laws.

What plan is in place for when your data is compromised, i.e., you suffer a data breach?  The law imposes specific requirements for investigation, notification and mitigation when a data breach occurs.  A data breach response team is indispensable, as is cyber insurance.  Both must be in place before a breach occurs.

Beyond satisfying yourself that you have taken all reasonable precautions in this area, you also may have a governing board, shareholders, members or other constituents who look to you for assurance that security and privacy in the organization have been vigilantly addressed.  Witness last month’s mailing by the American Dental Association (ADA) to its members containing a coding manual but also, for some of the recipients, a USB drive infected with malware, purportedly the fault of a subcontractor of an ADA vendor.  The ADA issued an alert but time will tell if this will be enough to cure the problem created by this infection.

An infected USB drive is just one of many threats that could impact your business.  The Information Security Forum (ISF) earlier this year issued its Threat Horizon 2018 report looking at nine key threats that impact businesses and recommending actions to improve cyber resilience.  The themes of the ISF report are threefold: technology adoption dramatically expands the threat landscape; the ability to protect against these threats is progressively compromised; and government will increasingly intervene.  Other reports, such as Verizon’s 2016 Data Breach Investigations Report, reflect that information security risks for businesses fall into the realms of the human element, conduit devices, configuration exploitation, and malicious software.

You may not understand all of the nuances of these threats and the protective measures needed to address them, but you will understand the closing message from the Verizon Report.  That message is to have a plan that involves your people, processes and technology, and to test and update your plan regularly.  Which means you now should have an idea of where to begin.  And this blog will provide analysis, tips and guidance.  But if you don’t bother to do your own investigation and planning, you will be wondering why you didn’t make protecting one of your most valuable assets a priority.  As quoted in the Verizon Report:

Know your enemy and know yourself and you can fight a hundred battles without disaster.”- Sun Tzu