CarePointe ENT Resolves HIPAA Lawsuit with Indiana Attorney General
At the end of September 2023, Indiana Attorney General Todd Rokita submitted a lawsuit against CarePointe ENT involving a ransomware attack that resulted in a data breach impacting 48,742 persons. The settlement reached requires CarePointe to pay $125,000 to take care of alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security legislation.
CarePointe ENT manages three ear, nose, throat, sinus, and hearing centers located in Munster, Merrillville, and Hobart, Northwest Indiana. A ransomware attack on CarePointe ENT occurred on June 25, 2021 that led to data theft and encryption. The stolen information contained names, addresses, birth dates, Social Security numbers, health insurance data, and health data. Impacted persons were informed concerning the data security breach in August 2021.
AG Rokita investigated the attack to find out whether CarePointe ENT had followed the requirements under HIPAA and state regulations. Despite saying that it was dedicated to protecting patient data, CarePointe ENT was confirmed to have not implemented proper security measures, performed the risk analyses, and dealt with identified security risks promptly.
CarePointe ENT engaged a third-party IT company that performed a HIPAA risk analysis and found security issues in January 2021. The company started to address the discovered vulnerabilities in March, yet they were not resolved in a reasonable period. A ransomware attack in June 2021 exploited some of the unaddressed vulnerabilities. Besides the inability to resolve the identified security problems, CarePointe ENT did not sign a business associate agreement with the company, even when the company was given access to systems that contain PHI.
AG Rokita’s lawsuit included one count each of the following allegations:
- failing to comply with the HIPAA Security Rule
- failure to comply with the HIPAA Privacy Rule
- failing to comply with the Indiana Disclosure of Security Breach Act (DSBA)
- failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA)
CarePointe ENT decided to resolve the alleged violations of HIPAA and state regulations without admitting wrongdoing. As per the conditions of the settlement, CarePointe ENT will pay a financial penalty of $125,000 to the state and will ensure total compliance with the HIPAA Privacy and Security Rules and the DSBA and DCSA concerning the protection of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has likewise decided not to make misrepresentations concerning the scope to which it assures the privacy, security, integrity, and confidentiality of PI, PHI, and ePHI.
The settlement agreement consists of the following privacy and security measures:
- Implementing an extensive data security program
- Designating a HIPAA Security Officer to supervise that program
- Implementing technical safety measures and controls to ensure the privacy and security of patient information
- Creating an incident response plan and evaluating that plan through table-top exercises
- Creating guidelines and procedures concerning business associate agreements
- Giving privacy and security training to all employees having access to PI, PHI, or ePHI
Lawsuit Wants Clarification on Legitimacy of Missouri AG Request for Clinical Records of Transgender Patients
Washington University (WU) wants confirmation from the court regarding the legal authority of Missouri Attorney General Andrew Bailey to acquire the electronic health data of the WU Transgender Center patients. On February 23, 2023, AG Bailey issued civil investigative demands requesting WU to provide files and electronic health records of the Transgender Center patients for its investigation of the procedures of the center.
The investigation was prompted by a whistleblower, Jamie Reed, who signed an affidavit to the Attorney General regarding her work as a case worker at the WU Transgender Center in St. Louis Children’s Hospital. According to Reed, the Transgender Center had brought about permanent injury to a lot of its patients because of its prescribed treatments. She stated medical providers at the Transgender Center lied concerning treatment or lacking treatment and the results treatment would have. She claimed the center staff gave puberty blockers and cross-sex hormones after two hour-long visits, with no complete, informed parental permission or a proper and correct evaluation of a child’s needs. She reported that children had suffered alarming injuries from the prescribed medicines, and there was no monitoring of undesirable results. Reed additionally stated that the Transgender Center had applied the wrong treatment codes to obtain public and private insurance plans to cover the procedures. The families of some patients of the Transgender Center questioned the statements of Reed. An ex-employee, Jess Jones, claimed her work experience at the center was not the same as that of Reed, and lots of patients were informed they it would take years before they can get treatments.
AG Bailey started an investigation, with the support of the Division of Professional Registration and the Missouri Department of Social Services, and issued civil investigative requests for patient documentation. AG Bailey stated that with the Missouri Merchandising Practice Act (MMPA), he is authorized to get access to the electronic health records of the WU Transgender Center patients for doing the investigation. The MMPA consumer protection legislation deals with false advertising. WU partly complied with the civil investigative demand and has given files that are connected to advertising, however, has taken legal action regarding the requirement for electronic medical records, which WU states is beyond the scope of the MMPA.
Some statements of the attorney general have prompted Washington University to question whether or not all of the demands (such as those at issue currently) are appropriately covered by the MMPA. The statements indicated that the investigation was about medical decision-making rather than sales or advertising. Some patients have become anxious about the disclosure of patient records and do not like their data to be presented to the Attorney General and possibly to the public. The lawsuit asks for a resolution from Judge Jason Sengheiser regarding whether AG Bailey’s investigative requirements are legitimate, and if so to what degree, to permit WU to change the request.