Categories
Health Law Highlights

Change Healthcare Ransomware Attack: 10 Lessons Learned

Summary of article from Guidepost Solutions LLC, by Todd Doss:

In February 2024, Change Healthcare fell victim to a ransomware attack due to vulnerabilities in its infrastructure, including outdated software and misconfigured settings. The attackers used sophisticated malware to access the network and breach sensitive data, including patient records, financial data, and administrative details. The incident underscores the importance of robust cybersecurity measures, such as regular data backups, software updates, strong passwords, network segmentation, and continuous employee education. Organizations are also advised to avoid paying ransoms and to stay informed about cybersecurity trends. Lastly, consulting with third-party cybersecurity experts can help assess vulnerabilities and strengthen an organization’s security posture.

Categories
Health Law Highlights

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Summary of article in The HIPAA Journal, by Steve Adler:

A study by Diligent Institute and Bitsight reveals that organizations with strong cybersecurity programs yield better financial performance and higher shareholder returns. The study, which analyzed data from 4,149 mid to large-sized organizations, found that companies with advanced security ratings created almost four times more value for their shareholders than those with basic security ratings. The report also emphasized that cybersecurity is not just an IT problem, but an enterprise risk affecting the company’s performance and health. There was a correlation between board structure and security ratings, with companies having specialized risk or audit committees performing better. The presence of a cybersecurity expert on these committees significantly improved an organization’s security performance.

Categories
Health Law Highlights

Comprehensive Federal Privacy Bill May Open Backdoor for HIPAA Private Right of Action

Summary of article from Fox Rothschild, by Elizabeth Litten:

The American Privacy Rights Act of 2024 (APRA) is a significant data privacy bill that aims to establish national data privacy rights and protections, superseding existing state data privacy laws. The Federal Trade Commission, states, and impacted individuals will enforce it. The bill includes a provision for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), stipulating they must comply with HIPAA’s data privacy and security requirements. However, the bill leaves room for non-compliant entities to be subject to APRA’s robust enforcement mechanisms, including the right for individuals to sue for alleged HIPAA violations. Given the complexity and evolving nature of HIPAA compliance requirements, the stability of APRA’s HIPAA provisions may be uncertain.

Categories
Health Law Highlights

Healthcare Still Underprepared for Scope of Cyber Threats, Says Report

Summary of article from Healthcare IT News, by Andrea Fox:

A new report from Kroll reveals a discrepancy between healthcare organizations’ self-assessment of their cybersecurity maturity and the reality of their readiness. Despite healthcare being among the most breached sectors, many organizations in this industry believe their cybersecurity processes are “very mature”. The report also identified remote access as a key vulnerability, with ransomware groups increasingly gaining initial access through external remote services. Kroll warns of increased scrutiny and accountability for C-suite executives in overseeing cybersecurity defenses. The report concludes that healthcare organizations must close the ‘self-diagnosis gap’ and enhance their security measures to protect against cyber threats.

Categories
Health Law Highlights

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Summary of article from The HIPAA Journal, by Steve Adler:

Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.

Categories
Health Law Highlights

Bogus Botox Poisoning Outbreak Spreads to 9 States, CDC Says

Summary of article from Ars Technica, by Beth Mole:

The Centers for Disease Control and Prevention (CDC) reported that 19 women across nine US states have been poisoned by counterfeit Botox injections. Almost half of these cases resulted in hospitalization, with four individuals treated with botulinum anti-toxin. The Food and Drug Administration (FDA) reported these fake products were administered by unlicensed or untrained individuals in non-medical or unlicensed settings.The FDA and CDC noted symptoms from the counterfeit injections similar to botulism, including blurred vision, difficulty swallowing, dry mouth, constipation, and muscle weakness. They advised anyone experiencing these symptoms to seek immediate medical attention.The counterfeit Botox was primarily used for cosmetic purposes by women aged between 25 and 59. Exposure to the counterfeit product can lead to botulism or similar illnesses, potentially resulting in muscle paralysis or even death.

Categories
Health Law Highlights

PE-Owned Health Care Saw Surge in 2023 Bankruptcies, Report Says

Summary of article from Mergers & Acquisitions, by Bloomberg News:

Private equity (PE)-backed businesses accounted for about 20% of the 80 bankruptcies in the healthcare sector in 2023, according to the Private Equity Stakeholder Project. Additionally, venture-capital backed companies made up another 15% of these filings. The report predicts this trend of healthcare bankruptcies will continue in 2024, especially among companies owned by PE firms. Two of the largest bankruptcies in 2023 were KKR Group’s Envision Healthcare Corp. and GenesisCare. The report also highlighted that increased regulation, high expenses, and the impact of the pandemic have contributed to the distress in the healthcare sector.

Categories
Health Law Highlights

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

From Ars Technica, by Andy Greenberg and Matt Burgess:

Change Healthcare, a prominent healthcare company in the U.S., has been embroiled in a significant ransomware debacle, initially victimized by the group AlphV, which encrypted the company’s network and received a $22 million ransom payment. Now, a new ransomware group, RansomHub, claims to possess 4 terabytes of Change Healthcare’s stolen data and is demanding its own ransom. While the origins of RansomHub’s data are unclear, security analysts suggest that the threat may be legitimate. This situation highlights the risk of re-extortion in ransomware attacks and the untrustworthiness of cybercriminals, even after ransoms are paid. The ongoing attack has caused severe disruptions across U.S. medical practices, with 80% of clinicians reporting revenue loss and many facing potential bankruptcy.

Categories
Health Law Highlights

CMS Issues Hospice Proposed Payment Rule

From King & Spalding, by Kate Karpenko:

The CMS has issued a proposed rule for fiscal year 2025 to update Medicare hospice payments and aggregate cap amount, which includes a 2.6% increase in payments and an updated aggregate cap of $34,364.85. The proposal also introduces changes to the Hospice Quality Reporting Program (HQRP), including the addition of two new measures and the use of the Hospice Outcomes and Patient Evaluation (HOPE) tool for patient data collection. It also suggests changes to the Hospice Consumer Assessment of Healthcare Providers and Systems (CAHPS) Survey, including a web-mail mode and a simplified survey. Technical changes are proposed to the Conditions of Participation (CoPs) to clarify language around the roles of a medical director and physician designee. Stakeholders are encouraged to submit comments on the proposed rule by May 28, 2024.

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.