Categories
Health Law Highlights

Navigating HIPAA Compliance in the Age of AI: Privacy and Security Considerations in Healthcare

Summary of article from HackerNoon, by mcmullen:

Artificial intelligence (AI) is revolutionizing various aspects of healthcare, but it also presents privacy and security risks, particularly in the context of data breaches. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is crucial when integrating AI into healthcare. To remain HIPAA compliant, healthcare organizations must understand AI algorithms, regularly update policies, and implement robust security measures. Despite the challenges, the implementation of AI in healthcare, when done responsibly and ethically, offers significant potential benefits for patient care and research.

Categories
Health Law Highlights

Change Healthcare Ransomware Attack: 10 Lessons Learned

Summary of article from Guidepost Solutions LLC, by Todd Doss:

In February 2024, Change Healthcare fell victim to a ransomware attack due to vulnerabilities in its infrastructure, including outdated software and misconfigured settings. The attackers used sophisticated malware to access the network and breach sensitive data, including patient records, financial data, and administrative details. The incident underscores the importance of robust cybersecurity measures, such as regular data backups, software updates, strong passwords, network segmentation, and continuous employee education. Organizations are also advised to avoid paying ransoms and to stay informed about cybersecurity trends. Lastly, consulting with third-party cybersecurity experts can help assess vulnerabilities and strengthen an organization’s security posture.

Categories
Health Law Highlights

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Summary of article in The HIPAA Journal, by Steve Adler:

A study by Diligent Institute and Bitsight reveals that organizations with strong cybersecurity programs yield better financial performance and higher shareholder returns. The study, which analyzed data from 4,149 mid to large-sized organizations, found that companies with advanced security ratings created almost four times more value for their shareholders than those with basic security ratings. The report also emphasized that cybersecurity is not just an IT problem, but an enterprise risk affecting the company’s performance and health. There was a correlation between board structure and security ratings, with companies having specialized risk or audit committees performing better. The presence of a cybersecurity expert on these committees significantly improved an organization’s security performance.

Categories
Health Law Highlights

Comprehensive Federal Privacy Bill May Open Backdoor for HIPAA Private Right of Action

Summary of article from Fox Rothschild, by Elizabeth Litten:

The American Privacy Rights Act of 2024 (APRA) is a significant data privacy bill that aims to establish national data privacy rights and protections, superseding existing state data privacy laws. The Federal Trade Commission, states, and impacted individuals will enforce it. The bill includes a provision for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), stipulating they must comply with HIPAA’s data privacy and security requirements. However, the bill leaves room for non-compliant entities to be subject to APRA’s robust enforcement mechanisms, including the right for individuals to sue for alleged HIPAA violations. Given the complexity and evolving nature of HIPAA compliance requirements, the stability of APRA’s HIPAA provisions may be uncertain.

Categories
Health Law Highlights

Healthcare Still Underprepared for Scope of Cyber Threats, Says Report

Summary of article from Healthcare IT News, by Andrea Fox:

A new report from Kroll reveals a discrepancy between healthcare organizations’ self-assessment of their cybersecurity maturity and the reality of their readiness. Despite healthcare being among the most breached sectors, many organizations in this industry believe their cybersecurity processes are “very mature”. The report also identified remote access as a key vulnerability, with ransomware groups increasingly gaining initial access through external remote services. Kroll warns of increased scrutiny and accountability for C-suite executives in overseeing cybersecurity defenses. The report concludes that healthcare organizations must close the ‘self-diagnosis gap’ and enhance their security measures to protect against cyber threats.

Categories
Health Law Highlights

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Summary of article from The HIPAA Journal, by Steve Adler:

Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.

Categories
Alert

Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million

Cerebral, Inc., a telehealth company, has agreed to settle Federal Trade Commission (FTC) charges over its failure to secure and protect sensitive consumer health data. The settlement includes a $7 million fine for disclosing consumers’ personal health information to third parties for advertising purposes and failing to uphold its cancellation policies. The FTC claimed that Cerebral violated privacy rights by revealing sensitive mental health conditions across the internet and in the mail. The proposed order will restrict Cerebral’s use and disclosure of sensitive consumer data and require the company to implement a comprehensive privacy and data security program. The order, which must be approved by a court, also mandates that Cerebral provide an easy way for consumers to cancel services.

Categories
Health Law Highlights

Bogus Botox Poisoning Outbreak Spreads to 9 States, CDC Says

Summary of article from Ars Technica, by Beth Mole:

The Centers for Disease Control and Prevention (CDC) reported that 19 women across nine US states have been poisoned by counterfeit Botox injections. Almost half of these cases resulted in hospitalization, with four individuals treated with botulinum anti-toxin. The Food and Drug Administration (FDA) reported these fake products were administered by unlicensed or untrained individuals in non-medical or unlicensed settings.The FDA and CDC noted symptoms from the counterfeit injections similar to botulism, including blurred vision, difficulty swallowing, dry mouth, constipation, and muscle weakness. They advised anyone experiencing these symptoms to seek immediate medical attention.The counterfeit Botox was primarily used for cosmetic purposes by women aged between 25 and 59. Exposure to the counterfeit product can lead to botulism or similar illnesses, potentially resulting in muscle paralysis or even death.

Categories
Health Law Highlights

PE-Owned Health Care Saw Surge in 2023 Bankruptcies, Report Says

Summary of article from Mergers & Acquisitions, by Bloomberg News:

Private equity (PE)-backed businesses accounted for about 20% of the 80 bankruptcies in the healthcare sector in 2023, according to the Private Equity Stakeholder Project. Additionally, venture-capital backed companies made up another 15% of these filings. The report predicts this trend of healthcare bankruptcies will continue in 2024, especially among companies owned by PE firms. Two of the largest bankruptcies in 2023 were KKR Group’s Envision Healthcare Corp. and GenesisCare. The report also highlighted that increased regulation, high expenses, and the impact of the pandemic have contributed to the distress in the healthcare sector.

Categories
Alert

Consumer Health Information: Handle With (Extreme) Care

From the Federal Trade Commission, Business Blog, by Lesley Fair:

The Federal Trade Commission (FTC) has taken action against online healthcare providers Cerebral and Monument, Inc. for allegedly violating consumer privacy rights. Both companies were accused of sharing sensitive health data with third-party advertising platforms without consumer consent. Cerebral was also charged with misleading cancellation practices, while Monument was accused of falsely claiming HIPAA compliance.

The FTC’s lawsuit against Cerebral resulted in a settlement that included a $5.1 million judgment for consumer refunds, a $10 million civil penalty (suspended after a $2 million payment due to the company’s inability to pay the full amount), and injunctive provisions to change the company’s business practices, including a ban on using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes.

The proposed order against Monument includes a ban on sharing data with third parties for advertising and a $2.5 million civil penalty (suspended due to the company’s inability to pay).

Businesses, especially those in the health sector, must substantiate any privacy or security representations they make and integrate privacy and data security into their operations. The FTC also insists that companies must provide simple mechanisms for consumers to cancel services and stop recurring charges.