Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Jul 7, 2021 | Compliance News
Discovery Practice Management Alerts Folks Regarding June 2020 Email Incident
Administrative support services provider Discovery Practice Management to Cliffside Malibu and Authentic Recovery Center facilities based in California has issued notices that unauthorized persons obtained access to the email system it provides for those companies.
Suspicious email activity was noticed in the email environment on July 31, 2020. An investigation into the incident was started which disclosed there were unauthorized logins to personnel email accounts at the two facilities between June 22, 2020 and June 26, 2020.
The accounts were quickly secured and a third-party cybersecurity company was employed to look into the breach yet it wasn’t possible to verify whether or not protected health information (PHI) in the accounts was viewed or copied.
PHI probably exposed included names, dates of birth, addresses, patient account numbers, medical record numbers, health insurance data, financial account/payment card details, driver’s license number, Social Security numbers, and clinical data, for instance, diagnosis, treatment details, and doctor prescribed medicine data.
The company mentioned in its breach notification letter to the California Attorney General that it coordinated with both practices to affirm the contact data for the 13,611 people whose details were possibly compromised. That procedure was done on June 2, 2021. Individuals affected by the breach have now been advised and have been provided a complimentary one-year membership to credit monitoring and identity theft protection support.
Discovery Practice Management believes the attack was not carried out to steal patient records, rather it is assumed to have been intended to redirect invoice payments. Steps have already been taken to boost email security and improved training has been given to the facilities’ employees to recognize and stay clear of suspicious email messages.
Email Account Breach at the Peoples Community Health Center
Peoples Community Health Center based in Waterloo, IA learned that an unauthorized person had accessed the email account of an employee. The provider discovered the suspicious email activity on March 22, 2021 and had third-party cybersecurity professionals investigate the incident to find out the nature and extent of the breach.
The investigation established that an unauthorized individual had accessed only one email account from March 18, 2021 to March 22, 2021. An analysis of the account’s emails and file attachments was done on May 24, 2021. It was determined that these types of data were possibly exposed:
Names, dates of birth, addresses, Social Security numbers, driver’s license numbers, state ID numbers, medical diagnoses, medical treatment data, medical insurance details, payment card numbers and/or payment card CVV/expiration date.
Impacted persons are being informed via mail and steps were taken to avoid the same breaches later on, which include going over and improving policies and guidelines and giving the employees more training.
by Maria Perez | Jun 30, 2021 | Compliance News
The U.S. Court of Appeals for the Fourth Circuit has made a decision that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to deal with improper disclosures of protected health information (PHI); nevertheless, the ruling indicates there is possibly a cause of action with the 14th amendment in case of violation of an individual’s privacy.
The case, Payne v. Taslimi, referred to Jahal Taslimi as the defendant and Christopher N. Payne as the plaintiff. Taslimi is a prison doctor while Payne was an inmate at the Deep Meadow Correctional Center. Payne filed a case against Taslimi alleging improper disclosure of his confidential health data. Payne claimed Taslimi went to his bed and said that he had not taken his HIV medication using a voice that is loud enough for other people to hear. Payne alleged staff members, other inmates, and civilians had heard the doctor.
In the legal action, Payne stated his health records were private and Taslimi had violated his HIPAA rights at Deep Meadow Correctional Center, as per the 14th Amendment privacy conditions. The district court sacked Payne’s allegations, however, Payne filed an appeal.
The Court of Appeals for the Fourth Circuit agreed with the district court decision and stated there was no private cause of action with HIPAA. The court additionally confirmed the district court’s decision to disregard the claim of a breach of the 14th Amendment.
In the judgment, the Court of Appeals stated that a breach of the 14th Amendment depended on whether or not Payne g0t “a reasonable expectation of privacy” in relation to the information about his HIV prescription drugs. Considering that Payne was a prisoner at Deep Meadow Correctional Center, the court decided that Payne didn’t have enough reasonable expectation of privacy with regards to his diagnosis and treatment program, particularly since the data was concerning a communicable disorder.
The court decided that the test in this kind of scenario is whether there is a compelling government interest that is more important than the plaintiff’s privacy interest. The judgment indicates there could be a cause of action as per the 14th Amendment where there was a disclosure of private medical data and no prodding government interest.
by Maria Perez | Jun 22, 2021 | Compliance News
The HHS’ Office for Civil Rights and The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) reached a settlement of a probable HIPAA Right of Access violation. This is the 8th financial penalty issued by OCR in 2021 for settling violations of HIPAA Rules. It is additionally the 19th settlement related to OCR’s HIPAA Right of Access enforcement project, which commenced at the end of 2019.
Healthcare provider DELC, which is located in West Virginia, specializes in the therapy of endocrine illnesses. Last August 2019, OCR received a complaint concerning DELC’s supposed failure to act promptly on a request by the complainant for a copy of protected health information (PHI). The HIPAA Privacy Rule requires healthcare companies to give a person his/her copy of PHI in a particular file format within 30 days of getting a request.
In this case, the complainant asked for her minor child’s PHI copy and DELC did not provide that information in the expected 30 days. On October 30, 2019, OCR gave DELC advice while investigating its potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) connected with the alleged refusal to give a patient’s mom the records she requested.
OCR stated that the failure to give the required records constitutes a violation of the HIPAA Right of Access. According to OCR’s inquiry, DELC later provided a copy of the documents asked for by the child’s mom in May 2021, approximately two years after obtaining the preliminary request.
Apart from the financial penalties of $5,000, DELC has agreed to carry out a corrective action plan that involves assessing and upgrading guidelines and processes for delivering a person’s PHI copy and giving privacy training to its workforce about personal PHI access. OCR is going to keep an eye on DELC for 2 years to ensure it complies with the Right of Access terms of the HIPAA Privacy Rules.
A HIPAA-covered entity must never wait until a federal investigation is underway before providing parent access to his/her kid’s healthcare data, explained Acting OCR Director Robinsue Frohboese. The covered entities have the responsibility to give their patients immediate access to their medical records.
by Maria Perez | Jun 16, 2021 | Compliance News
A lot of U.S. employers have enforced a policy that necessitates their employees to be COVID-19 vaccinated, such as a few leading healthcare centers and hospitals. These guidelines are in keeping with the guidance given by the U.S. Equal Employment Opportunity Commission in May, which established that U.S. businesses are within their rights to call for their personnel to get vaccinated, with selected exemptions like on medical or faith-based grounds.
Houston Methodist Hospital in Texas launched its vaccine requirement to make certain patients were safe against COVID-19 and had a June 7, 2021 due date for workers to get vaccinated. Though the many workers at Houston Methodist Hospital have consented to get a COVID-19 vaccination, On June 7, a small group of employees had a walkout because of the vaccine conditions. On June 8, the hospital decided to suspend 178 personnel with no pay due to their noncompliance to be vaccinated.
Legal action was taken by 117 of those employees, with lead plaintiff, Jennifer Bridges, professing that if she is laid off for declining the vaccine it would be tantamount to wrongful work termination. Bridges says that the vaccines, which were given by the FDA emergency use authorizations, are experimental and unsafe. three of the vaccines included by the emergency use authorizations have undergone clinical studies and a post-market study and were confirmed to be harmless.
On June 12, U.S. District Judge Lynn N. Hughes from the Southern District of Texas made a ruling that supported the hospital’s vaccination demand. Judge Hughes explained the choice to necessitate the workforce to be vaccinated against COVID-19 was in keeping with the hospital’s public policy and denied the plaintiffs’ allegations that the vaccines were experimental and unsafe.
The hospital’s staff are not participating in a human trial, explained Judge Hughes in his judgment. Methodist is seeking to do their work of protecting lives while not giving [patients] the Covid-19 virus. It is a decision made to hold workers, patients and their family members safer.
The judge stated in the ruling that under Texas laws, companies are within their rights to call for workers to be immunized. There are regulations to safeguard employees against wrongful firing, nevertheless, in situations like this, staff members would only be shielded against termination for declining to do an action that bears criminal penalties.
The employees and doctors made their choices for the benefit of patients, who are continually at the core of all they do. Houston Methodist Hospital Chief Executive, Dr. Marc Bloom mentioned that all hospital personnel has now satisfied the prerequisites of the vaccine policy.
The hospital affirmed that 24,947 personnel received complete vaccination, 285 staff were not vaccinated because of clinical or religious exceptions, and 332 workers were issued deferrals because of pregnancy or some other reasons.
When the suspension time ends on June 21, 2021, termination measures will be enforced for all workers who still were not immunized. The legal professionals representing the plaintiffs have plans to plead the judgment.
by Maria Perez | Jun 8, 2021 | Compliance News
Sturdy Memorial Hospital based in Attleboro, MA is informing 57,379 patients concerning a computer security breach that transpired on February 9, 2021 during which patient data was thieved. As per the breach notice released by the hospital, an unauthorized individual obtained access to its systems nevertheless the hospital secured its networks eventually that day.
The unauthorized person required a ransom payment to avert the disclosure/selling of information stolen during the cyberattack. The hospital had taken the decision to pay the ransom demand and got promises that all stolen data will be completely deleted and will not be further exposed. It is uncertain if this was merely an information theft occurrence or whether ransomware was employed with the attack.
Third-party computer forensics professionals were involved in checking out the breach, and an assessment was carried out to find out what patient information was exposed. The analysis was concluded on April 21, 2021 and all affected people began getting notification letters on May 28, 2021.
Sturdy Memorial Hospital mentioned that aside from its own patients, a number of patient data from other healthcare company partners – South Shore Medical Center Harbor Medical Associates, and providers connected with South Shore Physician Hospital Organization – was at the same time compromised.
The exposed patient data differed from person to person and might have contained at least one of these data elements: Name, birth date, address, telephone number, driver’s license number, Social Security number, other government ID number, bank name,
routing number, financial account number, credit card number and security code, Medicare Health Insurance Claim numbers, health background information, treatment or diagnosis data, procedure or diagnosis codes, prescription details, provider name, Medicare/Medicaid number, medical record number, medical insurance details, and treatment cost data. Sturdy Memorial Hospital reported that the attack didn’t affect its electronic health record system.
Free credit monitoring and identity protection services are being made available to persons who had their driver’s license number or Social Security number exposed in the attack. Extra safeguards and technical protective measures were already put in place at Sturdy Memorial Hospital to better safeguard and check its IT systems.
Villages and Leesburg Hospitals Affected by UF Health Ransomware Attack
University of Florida Health (UF Health) was compelled to undertake downtime measures subsequent to a ransomware attack on May 31, 2021. Workers employed pen and paper to log patient data since computer systems and email weren’t available because of the attack.
The attack impacted The Villages and Leesburg Hospitals. UF Health Central Florida discovered the attack on the night of May 31 upon noticing abnormal activity on its computer systems. The attack doesn’t seem to have affected the Jacksonville And Gainesville campuses.
The attack is being inspected and attempts are ongoing to make sure that systems and data files are safe. All UF Health hospitals still offer healthcare services and patient protection was not impacted. It is at this time uncertain if the attackers took patient information before using ransomware to encrypt data files.
