[author: Jane Anderson]

Report on Patient Privacy 22, no. 1 (January, 2022)

◆ New Jersey issued its third settlement in three months on state-level health care privacy and security laws, announcing that three cancer care providers would adopt new security measures and pay $425,000 to settle an investigation into two data breaches.^[1] Acting Attorney General Andrew Bruck said that Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, RCCA) experienced breaches that potentially exposed personal and protected health information of 105,200 consumers, including 80,333 New Jersey residents. The first data breach occurred “when several RCCA employee email accounts were compromised through a targeted phishing scheme that allowed unauthorized access to patient data stored on those accounts in April-June 2019. The protected information exposed included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers,” the state said. “Then, in July 2019, in the course of notifying clients of the initial breach, RCCA improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin. As a result of this second breach, family members of those cancer patients were informed of their relatives’ illnesses without their consent,” the state explained. “The settlement consists of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs.” Although RCCA disputes the allegations, it has agreed to additional privacy and security measures, including implementing and maintaining a comprehensive information security program; developing, implementing and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, and respond to security incidents; conducting training; employing a chief information security officer; and obtaining a third-party independent professional to assess patient data policies and practices. In October, Bruck announced two settlement agreements that included payments and additional security measures.^[2]

◆ The Maryland Department of Health (MDH) servers reporting positive COVID-19 cases were taken offline following a cyberattack in early December.^[3] According to the department, it detected “unauthorized activity involving multiple network infrastructure systems” on Dec. 4. “Immediate countermeasures were implemented to contain the incident, and servers were taken offline to protect the network,” the department said. “Because of the state’s aggressive cybersecurity strategy, and the use of MD THINK and other cloud-based services, many of the department’s core functions were not affected. There continues to be no evidence that any data was compromised. In order to prevent additional damage and avoid compromising sensitive health information, we are being methodical and deliberate in restoring network systems while prioritizing health and human safety functions.” By Jan. 2, the state said, “approximately 95% of state-level surveillance data are restored. MDH continues to work to reinstate the full COVID-19 dataset. Previously restored vaccine, hospitalization, case surveillance and congregate and school outbreak data reports hosted on coronavirus.maryland.gov datasets remain up to date. MDH and our agency partners are intensely focused on the full restoration and reporting of surveillance data, taking into account all of the steps and protocols involved.”

◆ Planned Parenthood Los Angeles is facing a potential class-action lawsuit after a cyberattack exposed the health information of more than 400,000 patients.^[4] A patient brought suit against the health care provider in early December, “alleging that she suffered anxiety and stress as a result of the breach,” according to a news report. The lawsuit alleges that Planned Parenthood Los Angeles violated state and federal privacy laws by failing to provide adequate safeguards against hacking incidents. The ransomware attack may have begun as early as Oct. 9 and was discovered on Oct. 17, Planned Parenthood Los Angeles said in a letter to patients reporting the potential breach. Some files were exfiltrated from the provider’s system, the letter said.^[5] The data potentially exposed included patient names; dates of birth; addresses; insurance identification numbers; and clinical data such as diagnosis, treatment and prescription information.

◆ The Rhode Island Public Transit Authority (RIPTA) health insurance billing plan experienced a breach that potentially exposed data for around 12,700 state workers.^[6] RIPTA has begun sending letters to state employees notifying them that files were accessed related to the state’s health insurance billing plan that contained their personal information. The attack was identified in August, and RIPTA is offering those affected free identity monitoring services. The Rhode Island attorney general’s office is investigating the breach.

◆ Monongalia Health System Inc. (Mon Health) in Morgantown, West Virginia, is notifying patients about an email phishing incident that may have resulted in unauthorized access to emails and attachments.^[7] Mon Health said it “became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor’s email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers.” The subsequent investigation confirmed that the incident did not involve its electronic medical records system. Unauthorized individuals gained access to the email accounts between May 10 and Aug. 15. “Based on its investigation, Mon Health believes the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information,” the health system said. “That said, Mon Health cannot rule out the possibility that emails and attachments to the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident.”

◆ The American Medical Association (AMA) is urging developers of health apps to safeguard patient privacy and has released a new guide on data governance and equitable digital health data collection for developers to reference.^[8] AMA noted that the ability to collect and track health and wellness data has had positive benefits, allowing providers to more closely monitor conditions and “proactively engage with patients around their health concerns.” However, the AMA noted, “health insurers have used information from wearable devices to deny claims for reimbursement, employers have used access to health information that employees may not be aware of to make employment decisions, and data brokers seek to collect more and more of this information to create in-depth profiles of individuals that serve as gatekeepers to opportunities for housing and more.” The AMA said its data guidelines “aim to help technology developers navigate this space so that patients and clinicians can make informed choices about privacy.”

◆ San Juan Regional Medical Center in Farmington, New Mexico, faces a class-action lawsuit over a 2020 data breach.^[9] “The suit claims the hospital was negligent in its handling of patients’ personal information, resulting in the exposure of health information and other sensitive private data” for 68,792 individuals, according to a news report. Compromised data included names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial account numbers, passport numbers, driver’s license numbers, health insurance information and medical information. The complaint includes multiple accusations against the hospital and details how the breach has adversely affected patients.

1 New Jersey Division of Consumer Affairs, “New Jersey Health Care Providers Will Adopt New Security Measures and Pay $425,000 to Settle Investigation into Two Data Breaches,” news release, December 15, 2021, https://bit.ly/3sMnKwF.
2 Jane Anderson, “New Jersey Latest to Target Privacy Violations: Printers to Pay $130,000 to Settle 2016 Breach,” Report on Patient Privacy 21, no. 12 (December 2021), https://bit.ly/3eLrHcN.
3 Maryland Department of Health, “Updates: Maryland Department of Health Network Security Incident,” incident update, January 3, 2022, https://bit.ly/32Vccfr.
4 Sam Dorman, “Planned Parenthood of Los Angeles faces class-action lawsuit after data breach,” Fox News, December 17, 2021, https://fxn.ws/3qHrjl5.
5 “Notice of Patient Privacy Incident,” Planned Parenthood Los Angeles, November 2021, https://bit.ly/3qHbWJl.
6 Eli Sherman and Ted Nesi, “AG’s office examining RIPTA data breach affecting over 12,000 state workers,” WPRI.com, December 29, 2021, https://bit.ly/3EQlVRA.
7 Monongalia Health System Inc., “Monongalia Health System, Inc. Investigates and Addresses Data Security Incident,” news release, December 21, 2021, https://prn.to/3sRp15I.
8 American Medical Association, Privacy Is Good Business: A case for privacy by design in app development, December 2021, https://bit.ly/3zpAOJB.
9 Joshua Kellogg, “Nearly 69,000 affected in San Juan Regional data breach,” Albuquerque Journal, December 14, 2021, https://bit.ly/3HsS9Ed.

[View source.]