0

Third-Party Vendor’s Breach leads to Medical Practice’s $400,000 Settlement Payment Under HIPAA and New Jersey Consumer Fraud Act

The Attorney General of New Jersey and the New Jersey Division of Consumer Affairs (“Division”) have announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians affiliated with more than fifty southern New Jersey medical and surgical practices, has agreed to pay over $400,000 and enter into a corrective action plan, to resolve allegations by the Division related to a vendor’s data breach. The Attorney General, in its capacity as enforcer of both the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA), alleged that VMG failed to conduct a thorough analysis of the risk to the confidentiality of electronic protected health information (“ePHI”) sent to its third-party vendor and that its failure to implement security measures to reduce that risk violated HIPAA’s Security Rule.

The third-party vendor, a Georgia medical transcription service, subcontracted to a company in India, which unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website (“FTP Site”), allowing the FTP Site to be accessed without a password.  As a result, the sensitive documents became publicly available via a Google search of terms contained within the transcriptions.  Even after the password protection was restored, Google retained cached indexes of the files, which remained publicly accessible on the Internet until removed over one month later. VMG apparently had a HIPAA Business Associate Agreement in place that required the Georgia transcription service to similarly bind subcontractors and to notify VMG of any security incidents.  But VMG was unaware of the India subcontractor and was not advised of the security incident within the contractual timeframe.

The Division alleges that, at the time of the incident, VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the breach, including:

  • Failing to implement a workforce security awareness and training program;
  • Delaying in identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome;
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of the electronic PHI maintained on the FTP Site;
  • Improperly disclosing the PHI of its patients; and
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The Division also alleged that the public exposure of the ePHI of at least 462 patients (ultimately VMG notified over 1,500 potentially affected patients), and VMG’s violations of HIPAA, constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. See the Division press release here.

Medical practices and other healthcare providers that are covered entities under HIPAA should take heed.  Although it was a third-party vendor that caused the breach, VMG was held accountable by the Division because it was VMG’s patient data and their responsibility to protect it, and because the Division’s position was that VMG should have conducted a risk assessment of its Business Associate and implemented necessary safeguards. Another warning:  It could be the State Attorney General, not the federal Office for Civil Rights, who investigates and prosecutes you for HIPAA violations, whether yours or those of your vendors.  As the Division Director has warned: “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”

Third-party risk in the HIPAA realm is a focus of the upcoming free seminar: “Practical Steps and Expert Advice to Consider When Implementing an Enterprise Risk Management Plan – Financial Management and Human Resources“ being held on Thursday, April 26th at the Indian Cultural Center in Marlton, New Jersey.

0

Opportunity Lost, Lesson Learned: OCR’s $3.2 Million Message to Children’s Medical Center

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced on February 1, 2017, that it imposed a $3.2 million civil money penalty against Children’s Medical Center of Dallas (“Children’s”) for impermissible disclosure of unsecured electronic protected health information (ePHI) and many years of non-compliance with multiple standards of the HIPAA Security Rule. What makes this case particularly painful is that it appears Children’s had many opportunities to mitigate its noncompliance–and to lessen the penalty–but failed to fully take advantage of those opportunities.

Eleven years ago, in 2006, one year after the HIPAA Security Rule took effect, Children’s retained a third party to conduct a security gap analysis and assessment. That assessment identified the absence of risk management as a major finding. The third party consultant recommended that Children’s implement encryption to avoid loss of ePHI on stolen or lost laptops. Recommendation not taken.

In 2008, Children’s engaged a different third party vendor to conduct a separate analysis of threats to ePHI. That vendor also determined that encryption was necessary and appropriate, and identified the loss of data at rest through unsecured mobile devices as being a high risk for Children’s. Although required by the HIPAA Security Rule, Children’s failed to document its decision to not implement encryption or any applicable rationale behind a decision to use alternative security measures.

Time passed. No encryption. You guessed it.

In January 2010, Children’s filed a breach report with OCR regarding the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport, exposing the ePHI of approximately 3,800 individuals.

In December 2010, a Children’s medical resident lost an iPod device that had been synched to the resident’s Children’s email account, resulting in the unencrypted ePHI of 22 individuals being placed on the device.

In 2012, OCR issued the findings of its audit of Children’s identifying, among other things, insufficient controls for devices, including smartphones and USB drives.

In July 2013, Children’s filed another HIPAA Breach Notification Report with OCR, reporting the April 2013 theft from its premises of an unencrypted laptop containing ePHI of 2,462 individuals. Although Children’s had implemented some physical safeguards to its laptop storage area (e.g., badge access and a security camera at one of the entrances), it had allowed janitorial staff unrestricted access to the area where the laptop with unencrypted ePHI was stored. Children’s internal investigation concluded that the laptop was probably stolen by a member of the janitorial staff.

OCR’s subsequent investigation of Children’s revealed lack of policies, lack of device and media controls, failure to implement risk management plans, contrary to prior external recommendations to do so, and failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 2013, when the laptop theft occurred. OCR noted that, despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

OCR issued a “Letter of Opportunity” to Children’s in May 2016, noting that OCR’s efforts to resolve the matter by informal means had been unsuccessful. In response, Children’s put forth a defense to OCR’s allegations but to no avail. By law, for violations occurring after February 2009, OCR could not impose a civil money penalty on Children’s if Children’s could establish to OCR’s satisfaction that the violations were not due to willful neglect and were corrected during the 30-day period beginning on the first date it knew, or, by exercising reasonable diligence, would have known that the violation occurred. However, Children’s had not made corrections of its violations within that timeframe.

In September 2016, OCR notified Children’s of its findings and the proposed penalty. OCR had considered as aggravating factors the amount of time that Children’s continued to use unencrypted devices, even after express recommendations of consultants and the OCR that encryption was necessary for ePHI security. The notification included instructions for requesting a hearing to challenge the proposed penalties. Children’s did not request a hearing.

On January 18, 2017, OCR issued a notice to Children’s that the full civil money penalty of $3.2 million was final.

Children’s did the compliant thing, back in 2006 and 2008, to conduct security risk assessments. Ignoring the results of such risk assessments is a common failure of HIPAA covered entities and their business associates. Children’s learned the hard way that not implementing recommended measures, such as failing to implement encryption and device controls, and not correcting violations that come to light, may seem like the right (or the economically sound) decision at the time, but can prove to be extremely costly in the end. Especially if you just keep doing it.

For advice on security risk assessments, policies and protocols, and corrective action plans for security violations, contact Denise L. Sanders, Esq., shareholder at Capehart Scatchard, who regularly advises healthcare providers and vendors on requirements of HIPAA Privacy and Security and federal and state Data Breach Notification rules.

0

For Covered Entities and Business Associates, There Can Be No Such Thing as “HIPAA Lite”

It has been well over a decade since health care providers (and other HIPAA Covered Entities) started handing out their Notice of Privacy Practices as required by the HIPAA Privacy Rule. Patients have become so accustomed to the Notice that many never read it, even though signing that they have not only read it but understand it. The question is, when was the last time the provider’s Privacy Officer or the entity’s CEO read the Notice? Do key personnel understand the terms of the Notice? And does the provider comply with its own Notice, maintaining the policies and procedures that are represented in the Notice?

In smaller organizations, the practice manager often fills the role of Privacy Officer and Security Officer. HIPAA is just one of many regulatory burdens on the manager’s plate and it is probably not the highest priority. The same is true for HIPAA Business Associates who may or may not understand their substantial obligations under HIPAA and under those Business Associate Agreements they signed. So it is understandable that HIPAA compliance may have morphed into “HIPAA Lite,” with providers and their Business Associates hoping that what they have in place will suffice and that they will fly under the radar of the U.S. Office for Civil Rights (OCR).  This was much easier to do in past years, when OCR enforcement focused on advising and assisting with compliance and OCR lacked resources to do much more.

But times have changed. In recent months, the OCR has entered into resolution agreements with both Covered Entities and Business Associates that include the largest financial settlement obtained by OCR from a HIPAA-regulated entity ($5.55 million from Advocate Health Care Network for breaches involving its physician-led medical group). The Advocate settlement noted the extent and duration of noncompliance, in some cases dating back to the inception of the Security Rule in 2005.  OCR’s settlement with Catholic Health Care Services, a HIPAA Business Associate to skilled nursing facilities, imposed a $650,000 fine and a two-year corrective action plan focusing on Catholic’s lack of a risk analysis, risk management plan and at least fifteen mandated policies.

Expanding the scope of its enforcement efforts, OCR has also announced an initiative to more widely investigate the root causes of smaller breaches, i.e., those in which under 500 persons are affected and which are reported by Covered Entities on an annual basis. These smaller breaches will likely draw the OCR’s attention if they involve theft of or improper disposal of unencrypted PHI or involve unwanted intrusion into an IT system. Once the OCR starts investigating one aspect of HIPAA compliance, the door is open for it to look at the organization’s entire HIPAA and data breach compliance efforts.

Increasing your efforts to ensure HIPAA compliance is not easy.  Capehart Scatchard is offering a seminar to help Covered Entities and Business Associates be prepared when the OCR comes calling.

0

It’s Not Just Ransomware – It’s a Breach!

Ransomware.  It’s in the headlines, but what is it?  Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) provided a layperson’s description:

Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

The description is included in a Fact Sheet on Ransomware and HIPAA (the Health Insurance Portability and Accountability Act), containing OCR’s guidance to healthcare entities on how to guard against ransomware and how to respond to a ransomware attack. The Fact Sheet notes that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 1,000 daily ransomware attacks reported in 2015.  And these are only the reported attacks.

The Fact Sheet provides extensive and detailed guidance on how entities subject to HIPAA should be protecting against ransomware. If safeguards have been put in place as required by HIPAA, ransomware should be less likely to occur and less likely to be devastating to an entity.  But of note in the guidance is the discussion of what else ransomware can be—a breach.  Specifically, a breach of protected health information (PHI) that must be reported as required under applicable law.

The scenario set forth by the OCR is where a laptop, encrypted with a full disk encryption solution, is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware. If full disk encryption is the only encryption solution in use to protect the PHI, and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted to the hacker with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus constituted “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.  In that case, the victimized entity must conduct the required assessment to determine if breach notification must be provided to all affected persons and to applicable authorities.

The OCR’s analysis (and the U.S. Government Interagency Guidance Document, referenced here in How to Protect Your Networks from Ransomware) should be heeded by any business that holds personal information in electronic form. That’s because state identity theft prevention laws, as well as certain federal laws, apply to such businesses. And those laws contain security mandates and breach notification obligations similar to what is required of healthcare entities under HIPAA.

Ransomware is a formidable challenge and potentially devastating to a business.  And breach notification is usually a substantial and costly undertaking.  All businesses—not just healthcare entities—that maintain personal information in electronic form, should take the threat of ransomware seriously and implement the necessary policies, procedures and technical safeguards to guard against it.  The OCR’s guidance can be found on the ransomware fact sheet.

0

It’s Not Just About HIPAA: Patient Communications and a Lesson from the FTC

In a one-count complaint, the Federal Trade Commission (FTC) alleges that Practice Fusion, the country’s largest cloud-based electronic health records company, engaged in deceptive acts or practices under Section 5(a) of the Federal Trade Commission Act.  Specifically, the FTC alleges that Practice Fusion misled patients of its healthcare providers to believe they were sending messages to their physicians—including messages containing their health information—when, in fact, they were submitting them for content to be published on a public website.  The FTC enforcement action against Practice Fusion is sobering for those engaged in communications with what the FTC calls “healthcare provider customers.”

Practice Fusion has, for several years, provided “Patient Fusion,” an online patient portal to health care providers so patients could view or download their health information and transmit it to another provider, as well as send and receive secure messages with their providers.  Patient Fusion then expanded to acquire patient information for purposes of a public directory to include, among other things, patient reviews.  To obtain that information, Practice Fusion sent emails to the patients of their provider clients which some patients then used to link to a webpage asking them to provide reviews of their provider, including whether all of their medical concerns had been addressed.  The questionnaire advised patients to not provide personal information and also provided a check off where a patient could request that the review be kept anonymous.  Unfortunately, many patients misunderstood what they were agreeing to and how the information they provided would be used by Patient Fusion.

The FTC found Patient Fusion’s instructions and disclaimers inadequate and misleading.  According to the FTC complaint, patients who clicked on the five-star rating image in the email were linked to an online survey form with questions about their recent medical visit, including a text box where patients could enter any information they wished within a set character limit.  Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries intended for their physician.

To settle the case, Practice Fusion has agreed not to misrepresent the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information. It also must: 1) clearly and conspicuously disclose to the consumer – separate and apart from a privacy policy, terms of use page, or similar document – its intention to make the information public; and 2) get the consumer’s express affirmative consent.

While the terms of the settlement apply only to Practice Fusion, the FTC details the lessons to be learned by others in the healthcare provider customer industry:

If personal health information is involved, handle it with particular care.  Consumers are concerned about the confidentiality of their health information and they have good reason to be. Given what’s at stake, industry members are on notice of the need for caution.

Explain your intentions. Especially for new products and services, don’t assume that consumers share your expertise. Be straightforward in your explanation and use simple words to explain what you want to do with their data.

Get consumers’ express affirmative consent before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.

Disclosures should reach out and grab consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach, so here’s some FTC 101: If the disclosure of information is necessary to prevent deception, it must be clear and conspicuous. To the FTC, “clear and conspicuous” is a performance standard, not a font size. Chances are that fine print footnotes, dense blocks of text, jargon-filled doubletalk, or obscure hyperlinks won’t cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: Consider the same eye-catching methods you routinely use when you really want to grab a potential customer’s attention – graphics, color, big print, prominent placement, clear wording, etc.

Don’t bury key facts in a hard-to-understand privacy policy. You’ll want to read the complaint for the details, but after Practice Fusion started to collect consumer survey results for posting, it changed what it said in its Privacy Policy, but didn’t clearly disclose the information on the survey page itself. Of course, companies’ privacy policies and terms of use pages should be accurate and understandable, but relying on those pages as the exclusive means to convey critical details – for example, that you intend to post consumers’ sensitive health information publicly – is unwise.

The proposed settlement agreement is under review and the final terms will be the subject of a future post on this blog.  Clearly, the lessons noted above should be heeded by companies involved in the online solicitation and publication of any sensitive personal information from consumers, and appropriate policies and procedures developed and implemented.