Law Agency Files Class Action Lawsuit For Overcharging for Copy of Patient’s Health Records

A law business is filing a legal case against Medical Records Online (MRO), a healthcare release-of-information solution provider, for charging an overpriced fee on law businesses and insurance providers when furnishing digital copies of patients’ medical records.

Cipriani & Werner of Pittsburgh filed the legal case in federal court in Camden, NJ. The lawsuit pertains to MRO charges for furnishing a copy of a patient’s health records meant for a personal injury case against the store Kohl’s, which the law agency represents.

Cipriani & Werner procured the medical records of the plaintiff in the lawsuit from John F. Kennedy Medical Center, located in Edison, NJ. The MRO billed $528 for 518 pages of medical records of the plaintiff. The law agency was billed a $10 search fee and $1 per page, despite the fact the data was furnished digitally as a PDF file.

Cipriani & Werner states MRO violated the New Jersey Declaratory Judgement Act when it billed unlawful fees well over the highest limit. Other claims made include:

  • a claim under the New Jersey Consumer Fraud Act with respect to unconscionable commercial practices
  • for a breach of New Jersey common law
  • for a breach of contract for breaking the implied contract of good faith and fair dealing

The New Jersey Administrative Code permits a $10 search fee to be demanded for providing copies of medical data to third parties, a fee of $1 per page, and the actual charge of postage and media for distributing the records (e.g. a compact disc). Cipriani & Werner comments the bill should have only included a $10 search fee and there should be no per-page cost considering that the information was not printed.

The lawsuit claims that irrespective of whether MRO was furnishing copies of merely a number of pages of information or hundreds of pages, the cost to MRO of replicating electronically stored data and sending them to the client took an identical amount of time and work. Cipriani & Werner mentioned the overall process took only 5 minutes.

The Schnader Harrison Segal & Lewis law agency of Cherry Hill, NJ that represents MRO states that the service charge was absolutely legal and was according to state polices.

The lawsuit refers to a 2015 memorandum from the New Jersey State Department which disallows health record providers from asking for per-page fees for electronically transmitted copies of medical records and for per-page rates to be placed when records are provided to purchasers by means of computer equipment. Nonetheless, in this lawsuit, the state department memo is not applicable because the department of Health in New Jersey has no authority over MRO and the memo didn’t proceed through official rule-making steps in the State of New Jersey.

The class members are mostly legal professionals and insurance firms who ordered copies of electronic medical data from MRO from September 2015 up to February 2020, who were, in the same way, asked to pay for electronic copies of health records in civil cases. The lawsuit merely names MRO, not any healthcare organization that uses MRO for taking care of requests for copies of medical data.

Compliance with the New York SHIELD Act Data Security Provisions Required by March 2020

The New York Governor signed the SHIELD Act or Stop Hacks and Improve Electronic Data Security Act into law last July 2019. The New York SHIELD Act broadened the requirements of breach notification for businesses that gather the personal data of residents in New York. The data security provisions of the New York SHIELD Act became effective starting March 21, 2020.

There are businesses exempted from the requirements of the New York SHIELD Act including

  • small businesses that have less than 50 staff
  • small businesses having fewer than $3 million in gross income for the last 3 fiscal years
  • small businesses whose year-end total assets are under $5 million

With the above-mentioned businesses, their data security program may be scaled based on the size and complex nature of the business, the types of business activities, and the sensitivity of the private information obtained.

For the majority of HIPAA-covered entities, compliance is going to be quite simple. Entities that comply with the Health Insurance Portability and Accountability Act (HIPAA) are regarded as compliant with the New York SHIELD Act.

New York SHIELD Act Requirements for HIPAA Covered Entities

Compliance with HIPAA is not a guarantee that an entity is compliant with the New York SHIELD Act. Although there is a certain overlap, the coverage of the New York SHIELD Act is different from the data types covered by HIPAA. HIPAA-covered entities collecting the personal information of New York State residents must ensure compliance with the data security provisions of the SHIELD Act for those data types. See the picture below.

One good example of when the SHIELD Act is applicable and HIPAA doesn’t is for IT systems that store employee information but not protected health information (PHI) like the Social Security numbers or driver’s license numbers. Though the HIPAA does not cover the information, the SHIELD Act calls for the implementation of reasonable administrative, technical, and physical safety measures to make sure of the protection of data. See the Data Security Requirements of the SHIELD Act in the image below.

National Institute of Health IT Flaws Put EHR Data in Danger

The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review of the National Institutes of Health (NIH). The audit findings showed that technology management problems in the NIH digital health records system and IT systems endanger the patients’ protected health information (PHI).

NIH got $5 million in congressional appropriations in FY 2019 to supervise the NIH grant programs and procedures. Congress wants to make sure that cybersecurity controls were available to secure sensitive information and find out if NIH follows with the Federal regulations.

CliftonLarsonAllen LLP (CLA) performed the review on July 16, 2019 for OIG to figure out the efficiency of some NIH IT controls and to examine how NIH obtains, processes, retains and transfers electronic Health Records (EHR) in its Clinical Research Information System (CRIS), which included the EHRs of NIH Clinical Center patients.

NHS has around 1,300 doctors, PhD researchers and dentists, 830 nurses, and approximately 730 allied healthcare specialists. In 2018, the Clinical Center had greater than 9,700 new patients, more than 4,500 inpatient admissions, and above 95,000 outpatient consultations.

CLA discovered that NIH had employed controls to make certain the integrity, availability and confidentiality of health information included in its EHR and data systems, nevertheless, those measures didn’t work properly. Subsequently, unauthorized people may have accessed the information in their EHR system and information systems. Data was at stake of impermissible disclosure, changes, and disruption.

The National Institute of Standards and Technology (NIST) suggests basic and substitute EHR processing websites ought to be separate by area. The geographical separation lowers the threat of accidental disruptions and helps to make certain vital operations could be gained back when lengthy interruptions take place. OIG identified the principal and substitute sites were established in nearby buildings in the NIH campus. When a tragic event had transpired, there was a high probability of the two websites being impacted.

The hardware employed for the EHR system was possibly reaching the end of life or was on lengthened support. Four servers were using a Windows operating system which Microsoft doesn’t support ever since 2015. NIH paid for longer support up to January 2020, nevertheless, OIG learned there was no reliable transition package. OIG likewise learned that NIH wasn’t deactivating user accounts quickly upon the end of the contract of staff members or leaving NIH. Of 26 user accounts that had been non-active for over 365 days, 19 weren’t deactivated. Of the 61 terminated user accounts, 9 remain active. Of the 25 new CRIS users, 3 had modified their permissions without completing a form to complete the alteration.

NIH advised CLA that it had postponed software updates until the finalization of system enhancements. NIH was updating its hardware while in the fieldwork, improvements to CRIS is expected. Software changes were scheduled to be carried out after the finalization of the hardware update.

NIH had employed a programmed tool to search for non-active accounts and erase them, however, the tool wasn’t totally employed during fieldwork. There were concerns with the tool, for instance, problems following persons who switched departments.

OIG advised employing a substitute processing website in a geographically specific place and to do something to offset risks linked with the existing substitute website until the new website is set up. Policies and procedures ought to be executed to make certain that software is enhanced before the end of life, and NIH has to make certain that its automatic tool is performing as designed. NIH agreed with all advice and has detailed the things that were and will be done to ensure the execution of the advice.

New Report Shows the Brands Most Impersonated by Phishers

The new Vade Secure report revealed the top 25 frequently impersonated brand names in phishing attacks. The Q4 of 2019 Phishers’ Favorite report confirmed that PayPal continues to be the most often impersonated brand in phishing attacks, having 11,392 recognized phishing URLs in Q4. For two consecutive quarters, PayPal is number one on the list. Detection of PayPal phishing URLs increased 23% year-over-year and the rate of detecting new PayPal phishing URLs is 124 per day.

There was an increase in detecting phishing URLs imitating Facebook. The social media giant jumped to second while Microsoft is 3rd and Netflix is 4th. Facebook phishing URL detections went up by 358.8% in Q4 of 2018.

Though Microsoft is in third place overall, it is the most often impersonated brand in company phishing attacks. Microsoft currently has more than 200 million active Office 365 business users who are targeted by hackers to obtain their Office 365 credentials. Office 365 accounts may consist of loads of sensitive information and may be used to carry out spear-phishing attacks on partners and other staff within the organization.

A very visible change in Q4 was a substantial increase in phishing URLs impersonating WhatsApp, which made the Microsoft-operated instant messaging service to jump to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3 of 2019.

Because of the WhatsApp phishing URL detections, the percentage of phishing URLs for social media companies went up from 13.1% in Q3 to 24.1% in Q4. The brands completing the top ten were Bank of America (6th position), followed by CIBC (7th), Desjardins (8th), Apple (9th), and Amazon (10th). There was additionally a big increase in phishing URLs impersonating Instagram, which grew by 187.1% in Q4.

Organizations in the financial services were the most often impersonated in Q4 for the second successive quarter. Although phishers do impersonate big banking institutions, Vade Secure remarks that phishers are nowadays favoring smaller financial establishments, which may not have strong security controls in place to spot brand impersonation.

Vade Secure states that phishing attacks impersonating note services like OneNote and Evernote markedly increased, besides the increase in phony OneDrive and SharePoint notifications that direct to websites hosting phishing kits.

OIG Audit Divulges Extensive Inappropriate Use of Medicare Part D Eligibility Verification Transactions

The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review, which showed that a lot of pharmacies and other healthcare organizations are wrongly using the information of Medicare beneficiaries.

OIG carried out the audit since the HHS’ Centers for Medicare and Medicaid Services (CMS) asked for it to find out if there was incorrect access and usage of Medicare recipients’ details by mail-order and retail pharmaceuticals and other healthcare organizations, for example, doctors’ offices, treatment centers, hospitals and long-term treatment facilities.

CMS was troubled that a mail-order drugstore and other healthcare organizations were not making use of Medicare Part D Eligibility Verification Transactions (E1 transactions) correctly, which ought to be utilized solely for confirming Medicare recipients’ qualifications for particular policy benefits.

OIG made the review to find out if E1 transactions were merely being employed for their designed intent. Considering that E1 transactions consist of the protected health information (PHI) of Medicare beneficiaries, they may probably be employed for scams or other destructive or wrong intentions.

There are two components in an E1 transaction: a request and a response. The healthcare organization submits an E1 request which consists of an NCPDP provider ID number or NPI, coupled with primary patient demographic details. The request is sent to the transaction facilitator who complements the E1 request details with the information kept in the CMS Eligibility archive. A response is consequently given, which consists of a beneficiary’s Part D coverage details.

CMS picked one mail-order drugstore and 29 companies for the review performed. Of the 30 entities reviewed, 25 utilized E1 transactions for an intent other than invoicing for prescriptions or to know drug coverage order if beneficiaries got a few insurance plans. 98percent of the E1 transactions of those 25 companies weren’t related to prescriptions.

OIG learned that companies were getting coverage details for beneficiaries with no prescription medications. The companies are utilizing E1 transactions for assessing sales prospects, several providers had granted marketing firms to file E1 transactions for sales purposes, companies were getting data pertaining to personal insurance coverage for stuff not included in Part D, long term care facilities had received Part D coverage making use of batch transactions, and E1 transactions were sent by 2 non-pharmacy firms.

The HIPAA covers E1 transactions and implements the basic essential conditions. PHI needs to be safeguarded against unauthorized access whenever it is being digitally stored or sent between covered entities. The review findings indicate that there’s HIPAA violation and that this might well be a countrywide concern. As per the results of the review and evident prevalent incorrect access and usage of PHI, OIG is going to extend the reviews nationally.

OIG thinks these concerns have occurred because CMS hasn’t totally enforced controls to keep an eye on providers who are sending big numbers of E1 transactions compared to prescriptions given; CMS has yet to provide clear direction not to utilize E1 transactions for advertising purposes; and CMS hasn’t limited non-pharmacy access.

Subsequent to the review, CMS took additional steps to keep an eye on violations of the eligibility confirmation system and will be having suitable enforcement actions in instances of misuse are identified. OIG has advised that CMS ought to give clear guidance on E1 transactions and make sure that exclusively pharmacies and other certified businesses file E1 transactions.

Email Security Breaches at Shields Health Solutions and Lafayette Regional Rehabilitation Hospital

Shields Health Solutions Email Account Breach

Shields Health Solutions located in Stoughton, MA provides covered entities and hospitals with specialty pharmacy services. Unauthorized access of an employee’s email account probably allowed the hacker to view or copy the protected health information (PHI) contained in the account.

Shields Health Solutions spotted dubious activity in the email account of the employee on October 24, 2019. A cybersecurity firm inspected the incident and stated that the account was accessed by an unauthorized individual from October 22 up to October 24, 2019. The breach only affected one email account.

The email messages and attachments in the account contained the names of patients, birth dates, names of providers, medical record numbers, clinical information, prescription information, insurance company names, and minimal claims information. There is no proof that indicates patient data access or copying by the hacker.

Shields Health Solutions upgraded its email security by implementing multi-factor authentication on all employees’ email accounts and mailed notification letters to all affected individuals on December 16, 2019. The HHS’ Office for Civil Rights (OCR) breach portal has not posted about the breach yet thus the actual number of affected individuals is not yet completely identified.

Lafayette Regional Rehabilitation Hospital Email Breach

In July 2019, Lafayette Regional Rehabilitation Hospital located in Lafayette, IN learned about unauthorized access to an employee’s email account resulting in the potential viewing of patients’ PHI.

As soon as the hospital knew about the breach on November 25, 2019, prompt investigation of the incident was started to ascertain if unauthorized persons viewed any patient information. There is no certainty that the hackers viewed or copied patient data, nevertheless, there is a possibility that it happened. The information contained in the compromised email account included names, birth dates, clinical information and treatment details linked to medical services availed at the hospital. The Social Security number of several patients were likewise compromised.

On January 24, 2019, the hospital mailed breach notification letters to affected patients and offered those who had their Social Security numbers compromised free credit monitoring services. Further action taken by Lafayette Regional Rehabilitation Hospital included improving email security and reinforcing employee training on security awareness.

OCR already received the breach report which stated that approximately 1,360 patients were affected.

5,000+ Individuals Impacted by Phishing Attacks on Phoenix Children’s Hospital, VillageCareMAX and VillageCare Rehabilitative and Nursing Center

Village Senior Services Corporation, also known as VillageCareMAX (VCMAX), and Village Center for Care, also known as VillageCare Rehabilitative and Nursing Center (VRNC), experienced a business email compromise (BEC) attack. During a BEC attack, a threat actor impersonates an executive. It could be by accessing the executive’s real email account that was previously compromised in an attack or it could be spoofing the email address of an executive.

The sensitive data of VCMAX members and VRNC patients was requested by an unauthorized individual pretending to be an executive staff member. An employee thought it was a legitimate request and responded by giving the asked for information. On December 30, 2019, VCMAX and VRNC got a notice that there was a potential BEC attack.

Investigation of the incident confirmed the bogus request and the impermissible disclosure of sensitive information of VCMAX members and VRNC patients. The compromised data in the email account included the Medicaid ID numbers and names of 2,645 VCMAX members and the first and last names, dates of birth, names of the insurer, and Insurance ID numbers of 674 VRNC patients.

No report has been received regarding cases of personal data misuse, nevertheless, the instruction to all impacted persons was to be watchful and keep track of explanation of benefits statements, accounts and credit reports for evidence of bogus activities. A review of the policies and procedures by VCMAX and VRNC is ongoing and improvements will be implemented to avert identical attacks later on.

Phoenix Children’s Hospital Phishing Attack

Phoenix Children’s Hospital had a targeted phishing attack from September 5 to September 20, 2019, which brought about the breach of seven hospital employees’ email accounts.

After knowing that a breach occurred, a well-known computer forensic company was appointed to look into the scope of the breach. On November 15, 2019, it was confirmed that the compromised email accounts contained 1,860 past and present patients’ protected health information (PHI). It’s possible that the attackers have accessed or downloaded the information, which included names, personal information, and Social Security numbers along with some medical information for certain patients.

Phoenix Children’s Hospital mailed breach notification letters to the impacted patients beginning January 14, 2020. The hospital at the same time offered the patients who had potentially compromised Social Security numbers free credit monitoring and identity theft protection services.

Patients Desire Easy Health Data Access But Prefer Better Privacy Protections

Morning Consult conducted a new survey on behalf of America’s Health Insurance Plans (AHIP), which revealed that what patients want is quick access to their health information that is presented in a brief, quick to understand format. Nonetheless, patients and consumers know very well that the risks of cyberattacks and data breaches could result in the compromise of their private health data. 62% of the surveyed patients and consumers stated that they’re ready to forget about easy access to their health information as long as their health data have greater privacy protections.

Last November 2019, President Trump approved an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. Different governing bodies, including the Department of Health and Human Services, the Department of the Treasury and the Department of Labor responded by proposing a new Transparency in Coverage Rule. The rule necessitates employer-based group health plans and medical insurance companies offering group and personal coverage to make known price and cost-sharing details to participants, enrollees, and beneficiaries first.

With that available information, patients become aware of how much they ought to pay to satisfy the deductible of their plan or co-insurance or co-pay prerequisites. Patients can easily compare costs.

The price of healthcare procedures is a major concern for patients. The percentage of poll respondents that stated they were very likely or somewhat likely to research the cost of a medical procedure or service that their medical insurance plan would cover are 52% and 22%, respectively. Those that said it was very likely or somewhat likely that they would choose a cheaper medical procedure than what a physician recommends is 68%. 66% of survey participants said they would think about seeing a specialist as per doctor’s recommendation if care quality is the same at a cheaper price.

Although quick access to cost details and better transparency are welcome, 3 in 4 people who participated in the poll mentioned they won’t support a federal rule that improves transparency, at the same time, increases insurance premiums.

With regards to acquiring details on medical treatments, patients prefer easy to understand data as opposed to complete data. 82% of adults mentioned that they give more value to applications and websites with concise, easy to understand data about medical treatment as opposed to complete data that is unclear.

The survey likewise showed there is good support for federal laws similar to HIPAA for technology organizations that gather or are given health information. 90% of participants said tech firms ought to comply with stringent specifications for privacy and security just like the instance with healthcare providers.

More Patients Affected by Quest Health Systems Phishing Attack in 2018

Health Quest, which is presently a part of Nuvance Health, learned that the impact of the phishing attack in July 2018 was more extensive than first believed.

Some staff were deceived into revealing their email account details by phishing emails, therefore letting unauthorized persons to access their accounts. A prominent cybersecurity company helped with the investigation to find out if there was a breach of patient data.

In May 2019, Quest Health found out that the email messages and attachments in the breached accounts contained 28,910 patients’ protected health information (PHI) therefore the health system dispatched notification letters to the impacted people. The details contained in the breached accounts included patient names, contact details, claims data, and some medical information.

Another investigation of the breach showed on October 25, 2019 the compromise of yet another email account of an employee containing PHI. As per the substitute breach notification published on the Quest Health site, the compromised details were varied from one patient to another, nevertheless, the names and one or more of these data elements might have been included:

Birth dates, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), Social Security numbers, provider name(s), treatment dates, treatment and diagnosis data, medical insurance plan member and group numbers, medical insurance claims data, financial account data with PIN/security code, and payment card data.

There is no proof uncovered that unauthorized persons viewed patient information. There is likewise no report acquired about the misuse of patient data. For security reasons, on January 10, 2020, Health Quest mailed another notification letter to patients.

As a result of the breach, Quest Health currently implements multi-factor authentication for email accounts and toughened security systems and offered staff more training about phishing and other cybersecurity concerns.

There is no certain statement as to the number of more patients were impacted by the breach. To date, the number of people impacted as stated on the HHS’ Office for Civil Rights breach portal is still 28,910 people.

Microsoft Finally Stops Support for Windows 7

Microsoft will not provide support anymore for Windows 7, Windows Server 2008, and Windows Server 2008 R2 starting on January 14, 2020. Microsoft will not release any more patches to correct OS vulnerabilities. Office 2010 will not be supported as well.

Microsoft will update the operating systems on January 14, 2020 and fix all known vulnerabilities, however, it will just be some time before cybercriminals would find exploitable vulnerabilities to steal information and install malware.

Although Microsoft gave notice about the end of life of the operating system long ago, it remained the second most utilized operating system after Windows 10. NetMarketShare reported that in December 2019, 33% of all desktop and laptop computers use Windows 7.

A lot of healthcare companies continue to use Windows 7 on some devices. The persisted use of those devices even without support increases the risk of cyberattacks and consequently HIPAA Security Rule violation.

The obvious resolution is to upgrade Windows 7 to Windows 10, though that might not be easy. Besides buying licenses and updating the OS, hardware might also need upgrading and certain applications might not function on more recent operating systems. The upgrade is consequently a major task that could require a lot of time.

If it’s not possible to update Windows 7 and Windows 2008 systems, steps must be taken to secure the devices and lessen the probability of a compromise and the effect of a cyberattack.

To minimize the odds of a compromise, the following best practices should be observed:

Stop Windows 7 devices from linking to untrusted content. This means that the devices should not be used for browsing the web or accessing email accounts. Avoid using removable media and portable storage devices as well.

Remove local administrator rights from all Windows 7 units and strengthen firewall protection. Don’t use the devices for accessing sensitive information, like protected health information (PHI). Transfer sensitive data found on the devices to devices using supported operating systems.

Malware infection is more likely to occur on devices that run using unsupported operating systems. Be sure to install updated anti-virus software. Scans the devices for malware regularly and monitor the devices for possible cyberattacks.

Microsegmentation may be beneficial in limiting the resulting harm in case of a compromise. All devices using unsupported operating systems must be separated from other systems and the devices must only be permitted to connect to critical services. Remove access to core servers and systems. Review and modify business continuity plans to make sure that critical business operations will go on in case of a compromise. Although extended support is very expensive, it is strongly advised.

These options can minimize risk, however, they won’t remove it. Organizations must consequently speed up their plans to update their operating systems and computer hardware. Using a supported OS is the only means to completely secure devices.