The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.
Although HIPAA is often a key focus, healthcare organizations must not lose sight of the various state reporting requirements applicable to their business. For those healthcare organizations that store data about Alabama residents, take a look here for some key provisions of the newly minted “Alabama Data Breach Notification Act of 2018,” such as scope, notice requirements, and potential penalties.
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.
The breach occurred as early as October 3rd of last year when a hacker accessed a database containing current and former patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. The FBI informed the company of the possibility of a breach in November of 2015, prompting the company’s investigation. After a five-month delay, requested by the FBI, the company announced the breach (see HERE) and is offering patients one year of identity theft protection services. Continue Reading Oh No, Not Again…Chalk Up Yet Another Health Data Breach
In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on July 17, 2015, that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results). Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.
On July 21, 2015, UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act.
According to its press release, UCLA determined on May 1, 2015, that the attackers had accessed UCLA’s network. Interestingly, UCLA notes that it had detected suspicious activity on its network in October of 2014, at which time it began working with the FBI to investigate the breach. At the time, UCLA did not believe that the attackers had access to the part of its network that contained personal information. However, as of May 5, 2015, UCLA concluded that the hackers may have had access to personal information as far back as September of 2014. UCLA has made identity protection and credit monitoring services available to potentially impacted individuals.
The class action claims that the breach was a direct result of UCLA’s failure to take “basic steps” to safeguard the sensitive information. One of these “basic steps”, the plaintiff argues, is the encryption of UCLA’s patient information. Continue Reading Class Action Suit Filed Against UCLA After It Suffers Massive Data Breach Affecting 4.5 Million Individuals
Written by Kimberly Gold
Individuals who access protected health information without authorization may be found guilty of a misdemeanor even if they lack knowledge that their actions are illegal.
On May 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a United States District Court information that charged Huping Zhou, a former research assistant at the University of California at Los Angeles Health System (“UHS”), with violating Section 1320d-6 (the “Wrongful Disclosure Section”) of the Health Insurance Portability and Accountability Act (HIPAA). The section provides that any person who “knowingly and in violation of this part…obtains individually identifiable health information relating to an individual” is subject to a misdemeanor punishable by a fine of not more than $50,000 and/or imprisonment for not more than one year.
Zhou was charged under subsection (a)(2) of the Wrongful Disclosure Section for “knowingly” accessing patients’ medical records with no permitted justification after he was terminated from UHS for performance-related reasons. According to a 2010 statement, Zhou illegally accessed patient records 323 times during a three-week period, including those of his immediate supervisor, co-workers, and well-known celebrities. Zhou admitted in his plea agreement to accessing patient records on four specific occasions after his termination. Zhou was the first individual convicted of, and incarcerated for, misdemeanor HIPAA offenses for accessing confidential patient records without a valid reason or authorization.
On appeal, Zhou argued that a defendant cannot be guilty of violating HIPAA if he did not know that obtaining the protected health information was illegal. The court rejected his argument, finding that it “contradicts the plain language of HIPAA.” The court held that the word “and” clearly provides that there are two elements of a Wrongful Disclosure Section violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of HIPAA.
The court stated that “the term ‘knowingly’ applies only to the act of obtaining the health information” and that the defendant need only know that he obtained individually identifiable health information relating to an individual in order to be found guilty of violating the statute.
Every provider must develop and implement policies designed to ensure that terminated employees cannot access the provider’s systems, including those with protected health information. Referencing this case in the course of employee training will further drive the point home and reinforce the importance of preventing the unauthorized access of protected health information.