OCR Issues $350,000 Penalty to Arkansas Business Associate for Impermissible ePHI Disclosure
The HHS’ Office for Civil Rights (OCR) has reached a settlement with regards to the Arkansas business associate HIPAA investigation involving the impermissible disclosure of the electronic protected health information (ePHI) of over 230,000 persons as a result of its failure to keep a File Transfer Protocol (FTP) server secure. HIPAA business associate, MedEvolve, Inc. based in Little Rock, AR is a company providing HIPAA-regulated entities with revenue cycle management, practice management, and practice analytics software. Due to the nature of MedEvolve’s business, its HIPAA-regulated entity clients give it access to ePHI. As per HIPAA, MedEvolve needs to be sure to protect that data all the time.
In July 2018, MedEvolve advised OCR about an error in the configuration of an FTP server. The investigation of MedEvolve showed that the server held the ePHI of 230,572 persons that may be openly viewed online with no authentication. The breach impacted two HIPAA-regulated entities:
- 204,607 individuals from Premier Immediate Medical Care, LLC
- 25,965 individuals from Dr. Beverly Held
The compromised data included names, phone numbers, billing addresses, medical insurance company data, physician’s office account numbers, and the Social Security numbers for some individuals.
OCR started an investigation and found three potential HIPAA Rules violations:
- 45 C.F.R. § 164.502(a) – An impermissible disclosure of the ePHI of 230,572 persons
- 45 C.F.R. § 164.502(e)(1)(ii) – Doing business with a subcontractor without signing a business associate agreement
- 45 C.F.R. § 164.308(a)(1)(ii)(A) – Failing to conduct a sufficiently comprehensive and accurate evaluation of potential risks to the integrity, confidentiality, and availability of ePHI
MedEvolve decided to resolve the case without admitting liability or wrongdoing and paid the $350,000 financial penalty. The settlement likewise consists of a corrective action plan that calls for MEdEvolve to carry out correct and comprehensive risk assessments, develop risk management plans to deal with recognized risks, create, apply, and maintain guidelines and procedures to adhere to the HIPAA Privacy and Security Regulations and equip its employees through a HIPAA and security training program.
Making sure that security procedures are set up to secure ePHI where it is kept is an important element of cybersecurity and the safety of patient privacy. HIPAA-regulated entities should make sure that patient health data are kept secure on network servers that the public can access through the Internet.
This is OCR’s fourth HIPAA penalty issued this year. The three previous HIPAA penalties involve the following HIPAA-covered entities:
- David Mente, MA, LPC – $15,000 financial penalty
- Life Hope Labs, LLC – a $16,500 financial penalty to resolve HIPAA Right of Access violations,
- Banner Health – a $1,250,000 financial penalty to resolve multiple HIPAA Security Rule violations
Multiple Class Action Data Breach Lawsuits Filed Against NextGen Healthcare
A healthcare data breach involving 1 million+ records is sure to end in multiple lawsuits. NextGen Healthcare data breach is no different. After the company announced the data breach on May 5, there were about a dozen lawsuits that were filed at the federal court in Georgia.
A hacking incident caused the data breach resulting in the theft of credentials that enabled unauthorized persons to access a database with sensitive patient information like names, addresses, birth dates, and Social Security numbers. According to the investigation, the hackers stole the credentials from other sources and not from NextGen. NextGen detected the breach on March 30, 2023. The forensic investigators confirmed that hackers accessed its network from March 29, 2023 to April 14, 2023. This is NextGen’s second data breach report this year. The first incident was a BlackCat ransomware attack. NextGen informed the Maine Attorney General that the data breach affected 1,049,375 individuals and the victims were provided free credit monitoring services.
All the lawsuits had been filed against NextGen in the United States District Court for the Northern District of Georgia, Atlanta Division. The allegations were all the same, that is, NextGen failed to protect the sensitive information of patients. The lawsuits state that NextGen should have known the high risk of data breaches since federal agencies have issued multiple warnings regarding cybersecurity threat groups attacking the healthcare industry. There were also substantial media reports regarding healthcare data breaches. Additionally, NextGen had encountered a ransomware attack only a couple of weeks earlier and ought to have known the need to improve its security.
The lawsuits furthermore question the long time (two weeks) it had taken to control the breach after it was detected, the delay in sending notification letters to impacted persons, and the inability to share enough information about the data breach in the notification letters to make the victims aware of the level of risk they are facing. The lawsuits state the breach victims have already encountered problems and will still face a continuing risk of identity theft and fraud for a long time. The lawsuits want a jury trial, class action status, damages, legal fees, and injunctive relief, as well as a court order to forbid NextGen from taking part in unlawful practices and to make improvements to its data security procedures.
Ransomware Attack at People Incorporated of Sequoyah County
People Incorporated of Sequoyah County (People Inc) provides behavioral health, anger management, and addiction recovery services in Sallisaw, OK. It discovered that an unauthorized third party acquired access to 8,725 present and past patients’ sensitive information in a ransomware attack recently.
People Inc detected the incident on March 6, 2023, and it was confirmed by a forensic investigation that an unauthorized person accessed some systems from March 2 to March 6, 2023. At that time, files with patient data were exfiltrated. The files included names, care plans, visit details, billing data, and Social Security numbers.
The provider recently mailed the notification letters to the affected persons and offered them free credit monitoring and identity theft protection services. People Inc also took steps to strengthen its system security to avoid the same incidents later on.