Categories
Health Law Highlights

Pharmacy Association and 40 Providers Sue Change Healthcare Over Cyberattack

Summary of article from The HIPAA Journal, by Steve Adler:

The National Community Pharmacists Association (NCPA) and over 40 healthcare providers from 22 states are suing Change Healthcare, Optum, and UnitedHealth Group following a February 2024 ransomware attack. This Blackcat ransomware incident resulted in significant disruptions, as Change Healthcare’s critical systems were taken offline, affecting claims processing and revenue management for numerous providers nationwide. The plaintiffs argue that the defendants failed to implement adequate security measures and did not provide timely guidance or support, exacerbating financial hardships for healthcare providers. The lawsuit, which spans 140 pages, includes claims of negligence, breach of contract, and violations of various state consumer protection laws. It seeks permanent injunctive relief, enhanced security measures, and various forms of damages.

Categories
Health Law Highlights

OCR Settles Alleged HIPAA Violations for $950,000 Following 2017 Ransomware Attack

Summary of article from King & Spalding, by Elizabeth Kimball Key:

On July 1, 2024, the HHS Office of Civil Rights (OCR) announced that Heritage Valley Health System agreed to pay $950,000 to settle alleged HIPAA violations following a 2017 ransomware attack. The settlement includes a corrective action plan (CAP) to address compliance gaps, marking the third HIPAA enforcement action involving ransomware. The OCR’s investigation revealed several potential HIPAA violations, including inadequate risk analysis, lack of a contingency plan, and insufficient access controls for electronic protected health information (ePHI). As part of the CAP, Heritage Valley will conduct a comprehensive risk analysis, implement a risk management plan, update its policies and procedures, and train its workforce on HIPAA compliance. OCR highlighted a significant increase in ransomware-related breaches, underscoring its enforcement priority.

Categories
Health Law Highlights

Report Reviews Updates on Health Cybersecurity and Ransomware

Summary of article from Robinson & Cole LLP, by Linn F. Freedman:

The Health Sector Cybersecurity Coordination Center (HC3) has recently issued two critical alerts for the healthcare sector. The first alert, dated June 18, 2024, concerns Qilin (also known as Agenda Ransomware), a ransomware-as-a-service (RaaS) that targets healthcare organizations through spear phishing and other tools, employing double extortion tactics. The second alert, issued on June 27, 2024, highlights a critical vulnerability in the MOVEit file transfer platform, urging healthcare organizations to promptly patch the identified improper authentication processes to prevent exploitation. Progress, the platform’s owner, has released patches, but the vulnerability remains actively targeted by cyber threat actors. HC3 emphasizes the urgency of addressing these threats to protect against data loss and compromise.

Categories
Health Law Highlights

5 Best Practices for Achieving Healthcare Cloud Compliance

Summary of article from Pro IT Today, by Christopher Tozzi:

Healthcare organizations can ensure cloud compliance by adopting several key practices. Implementing a zero trust security strategy is essential to protect sensitive data by granting access only when necessary. Educating cloud engineers about specific compliance requirements and using cloud data loss prevention (DLP) tools to detect and secure sensitive information are also crucial steps. Additionally, considering on-premises storage for highly sensitive data and opting for simpler cloud architectures can help minimize compliance risks. These measures collectively support the secure and compliant management of healthcare data in cloud environments.

Categories
Health Law Highlights

Hacking the Hippocratic Oath: Four Ways to Shield Patients from Ransomware Attacks

Summary of article from MedCity News, by Mohammad Wagas:

The healthcare industry is under increasing threat from cyberattacks, highlighting an immediate need for stronger security measures. To address this, four key strategies are recommended: enhancing analysis of security risks, fostering a cybersecurity culture among all staff, segmenting networks to limit potential damage, and ensuring robust external surface defense. Comprehensive risk analysis tools and consistent cybersecurity education for staff are imperative. Implementing a Zero Trust architecture and conducting regular security audits of third-party vendors are also key. These initiatives align with medical ethics and ensure patient safety and their trust in technology.

Categories
Health Law Highlights

Healthcare Ransomware Attacks Lead to Uptick in ED Visits at Nearby Hospitals

Summary of article from Health IT Security, by Jill McKeon:

A research letter in JAMA has revealed that ransomware attacks on hospitals not only disrupt the targeted facilities but also impact neighboring hospitals. The study, which analyzed emergency department (ED) visits and patient discharge data from 2014 to 2020, found a temporary decrease in ED visits and inpatient admissions at attacked hospitals and a temporary increase in ED visits at unaffected nearby hospitals. However, there were no significant changes in inpatient admissions at nearby hospitals. The research identified eight ransomware attacks that disrupted 15 hospitals, with ED visits and inpatient admissions decreasing by up to 16.62% in the second week after the attack. These findings underscore the broader implications of ransomware attacks on healthcare facilities and the importance of cybersecurity in patient care and safety.

Categories
Health Law Highlights

Ransomware Attack on Texas Ophthalmology Practice Exposes Data of 80,000 Patients

Summary of article from The HIPAA Journal, by Steve Adler:

A Texas-based ophthalmology practice, encompassing Victoria Surgery Center, Victoria Eye Center, and Victoria Vision Center, was hit by a ransomware attack on March 21, 2024, compromising the personal and health data of 80,122 patients. The attack encrypted files, making certain systems inaccessible, and an investigation confirmed unauthorized access to patient data. Names, addresses, and medical identification details were among the compromised information. Affected individuals have been notified and offered a year of credit monitoring and identity theft protection services. In another incident, Texas Panhandle Centers, a Certified Community Behavioral Health Clinic, disclosed an unauthorized access to its systems in October 2023, potentially exposing the data of 16,394 patients.

Categories
Health Law Highlights

UnitedHealth Paid Hackers $22 Million Ransom

Summary of article from CNBC, by Ashley Capoot:

UnitedHealth Group confirmed the company paid a $22 million ransom after hackers breached its subsidiary, Change Healthcare, affecting the healthcare sector broadly. The breach left many doctors unable to fill prescriptions or get paid for their services temporarily. Witty revealed that the cybercriminals accessed Change Healthcare through a server that lacked multi-factor authentication, a security measure now implemented across all UnitedHealth’s external-facing systems. The breach compromised files containing protected health information and personally identifiable information, with a data review ongoing. UnitedHealth is working with regulators to assess the breach and notify affected individuals, while also implementing measures to prevent future cyberattacks.

Categories
Health Law Highlights

Rehab Hospital Chain Hack Affects 101,000; Facing 6 Lawsuits

Summary of article from GovInfo Security, by Marianne Kolbasuk McGee:

Ernest Health, a Texas-based operator of rehabilitation hospitals, is facing multiple federal proposed class action lawsuits following a ransomware attack that potentially compromised the sensitive information of over 101,000 individuals across several states. The company reported 33 separate breaches involving a network server and a HIPAA business associate at rehabilitation and long-term care hospitals in 12 states. The lawsuits allege that Ernest Health’s negligence in failing to protect sensitive personal information puts the plaintiffs at risk of identity theft and other crimes. The compromised information includes names, addresses, birthdates, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and prescription information, with some Social Security numbers and driver’s license numbers also affected. In response to the incident, Ernest Health has implemented additional safeguards and technical security measures to further protect and monitor its systems.

Categories
Health Law Highlights

Health Care Giant Comes Clean About Recent Hack and Paid Ransom

Summary of article from Ars Technica, by Dan Goodin:

Change Healthcare, a US health care services provider, was attacked by ransomware group ALPHV or BlackCat, disrupting the US prescription market for two weeks. The breach occurred due to a compromised account that lacked multifactor authentication (MFA), allowing hackers to access and exfiltrate data. The company paid a ransom of $22 million to ALPHV and spent two weeks rebuilding its IT infrastructure. The attack resulted in a cost of $872 million in the first quarter, leading to accelerated payments and no-interest, no-fee loans of over $6.5 billion to affected providers. Currently, the company’s payment processing is at 86% of its pre-incident levels.