The HITECH Act added that state attorney generals can take on cases on behalf of their constituents under HIPAA. We haven’t seen that many cases from the states thus far, but that may be changing. Today we discuss a recent New Jersey case regarding fraud, deceit, misrepresentation and professional misconduct. This is an eye opening state level case that everyone should pay attention to.

In this episode:

Don’t forget about the SAG! – Ep 330

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Upcoming Events:

The HIPAA Boot Camp Virtual Edition

Feb 22-24, 2022

Sign up now.

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon…

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Don’t forget about the SAG! – Ep 330

This whole episode is a HIPAA Say What!

States AG can issue HIPAA penalties on behalf of their residents. A recent Consent Order was filed by Andrew Bruck, Acting Attorney General of New Jersey that was all over some HIPAA stuff. I do think it is important to note that this comes through the Division of Consumer Affairs who handles cases that fall under fraud, deceit, misrepresentation and professional misconduct in the sale of goods and services in New Jersey. At the state level, in NJ at least, these cases are grouped with fraud, deceit, misrepresentation and professional misconduct. I don’t think many people think of it that way when they think of HIPAA at the Federal level.

Acting AG Bruck Announces Settlement with Fertility Clinic over Cybersecurity Lapses and Data Breach – New Jersey Office of Attorney General

A consent order still has to be approved by a judge so it could all fall apart. Hopefully, it will resolve in the next month. Even if it doesn’t, this is another case that we can use as a cautionary tale.

Details of the case brought by the SAG

There are a lot of things in here that make it seem that this is a very adversarial case between the two parties. There are parts that just seem a bit… well… We will get to it and you will see.

It relates to a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The entity is Diamond Institute for Infertility and Menopause, LLC, based in Millburn, NJ. They have two locations in NJ (in Millburn and Dover), one in NY, and we can’t leave out that they also offer consultation services in Bermuda. We will consider it as a 4 location operation for our references, but this order only relates to the two in NJ.

Between August 2016 and January 2017, there were “multiple instances of unauthorized access” to the Diamond network, according to the filing. We get the obligatory quote from the AG.

But, in this case we also get a zinger from the Dir of Consumer Affairs.

The Division’s investigation resulted in allegations that Diamond violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, and the HIPAA Security Rule when it removed administrative and technological safeguards for protected health information (“PHI”) and ePHI, resulting in unauthorized access to its network that went undetected for approximately five and a half months.

On January 31, 2007, Diamond entered into an “On-site ‘Gold’ Support” managed services agreement with Infoaxis Technologies Inc. (“Infoaxis”) to provide security and information technology services for Diamond, including, but not limited to, maintaining its third-party server and workstations. This managed services agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts

In or around March 2014, Diamond changed the managed services agreement with Infoaxis from the “On-site ‘Gold’ Support” agreement to the “Essentials+” agreement. The “Essentials+” agreement did not include all the same services as the “On-site ‘Gold’ Support” agreement.

Diamond alleges that there was no reduction in services from the “On-site ‘Gold’ Support” agreement to the “Essentials+” agreement other than the amount of time included in the plan for on-site support services.

Prior to the Breach, Diamond’s HIPPA Privacy and Security Officer (“HPSO”) utilized a Remote Desktop Protocol (“RDP”) service with a virtual private network (“VPN”) to access the Diamond Network. However, because Diamond’s VPN was blocked from its Bermuda office, Infoaxis provided Diamond with an alternative method of remote access, which resulted in Infoaxis opening a port in Diamond’s firewall for RDP access, rather than using the VPN for authentication.

Over the course of five and a half months, from August 28, 2016 through January 14, 2017, the Millburn office workstation of Diamond’s HPSO was remotely accessed by undetected intruder(s) a significant number of times from foreign IP addresses. Unauthorized access was first discovered on January 14, 2017, when Infoaxis confirmed that an unauthorized user remotely accessed Diamond’s HPSO’s Millburn Office workstation.

During the period of unauthorized access, the data on the compromised workstation was not Encrypted. As a result, the intruder(s) had the ability to access ePHI stored on the workstation, including patients’ first and last names, dates of birth, Social Security Numbers, and medical record numbers.

The second sentence in that last paragraph is misleading. Lack of encryption on the workstation did not create the result of the unauthorized person having access. Encryption or not, if the unauthorized user was able to login to the computer, it’s in an unencrypted state anyway.

Diamond’s review of the Breach determined that at least one intruder also accessed Diamond’s third-party server, which housed Diamond’s electronic medical records (“EMR”) data within a password protected Microsoft SQL database. Diamond’s investigation determined that the unauthorized access occurred through two compromised Diamond user accounts, which at the time of the Breach had weak passwords. Diamond also had weak security settings for failed login attempts, and password expiration.

Diamond did not Encrypt any of the ePHI stored on the third-party server. While the EMR data stored within the password protected Microsoft SQL database was not affected, the intruder was capable of accessing unprotected patient documents, which included patient lab results, ultrasound images and reports, clinical notes, and post-operative notes.

Diamond’s investigation was unable to determine how the intruder(s) gained access to the Diamond network.

During the relevant time period, Diamond either did not have Business Associate Agreements in place or does not have documentation of Business Associate Agreements being in place, prior to it sharing ePHI with its Business Associates, Berkshire Medical Technologies (“BMedTech”), Infoaxis, and Igenomix.

1. failing to ensure the confidentiality, integrity, and availability of ePHI
2. failing to protect against reasonably anticipated threats or hazards to security or integrity of ePHI,
3. failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
4. failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
5. failing to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports,
6. failing to make reasonable efforts to implement proper specifications of the “minimum necessary requirements,”
7. failing to implement proper procedures for creating and maintaining retrievable exact copies of ePHI
8. failing to implement procedures for periodic testing and revision of contingency plans, or document why the implementation of such procedures were not reasonable or appropriate, and implement an equivalent alternative
9. failing to assess the relative criticality of specific application and data in support of other contingency plan components, or document why implementation of such procedures were not reasonable or appropriate, and implement an equivalent alternative
10. failing to assign a unique name and/or number for identifying and tracking user identity
11. failing to implement a mechanism to Encrypt ePHI, or document why implementation of such a mechanism was not reasonable or appropriate, and implement an equivalent alternative measure,
12. failing to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
13. failing to implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner, or document why implementation of such a mechanism was not reasonable or appropriate, and implement an equivalent alternative measure
14. failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
15. failing to implement proper procedures for creating, changing, and safeguarding passwords or document why the implementation of such procedures were not reasonable or appropriate, and implement an equivalent alternative measure;
16. failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.
17. failing to review and update its policies and procedures in response to environmental or operational changes affecting the security of ePHI
18. failing to implement a written contract or other arrangement with three (3) Business Associates to document that it has obtained satisfactory assurances that the Business Associates will appropriately safeguard the ePHI, and shared ePHI with entities despite this failure
19. failing to appropriately sanction its Security Officer for not complying with its privacy and security policies

To be clear on all of this though, Diamond disputes the Division’s allegations.

Just to add a bit more twist to the knife, they point out how they violated the state consumer fraud protections:

Diamond engaged in violations of the CFA by misrepresenting its HIPAA practices in its security policy and privacy policy.

SAG corrective action plan in consent order

The agreement also includes all kinds of corrective actions that Diamond will make. Right off the bat, boom:

Diamond shall not misrepresent the extent to which Diamond maintains and protects the privacy, security, or confidentiality of PI, PHI, or ePHI collected from or about consumers

If a Security Incident does not trigger the Breach Notification Rule, Diamond shall create a report that includes a description of the Security Incident and Diamond’s response to that Security Incident (“Security Incident Report”), in accordance with the Diamond Privacy Policy, and the Diamond Security Policy. The Security Incident Report shall be made available for inspection by the Third-Party Security Assessor…

Basically, they are required to put a program in place with the proof they are actually doing the work. Several details are included in the list saying they will create policies, procedures, put BAAs in place, etc. A few points were very, very interesting and somewhat ummm, uhhh, concerning:

Diamond shall review not less than annually the Information Security Program

Diamond shall appoint and maintain an employee, other than Diamond’s HPSO at the time of the Breach, who shall serve as its HPSO and be responsible for implementing, maintaining, and monitoring the Information Security Program within sixty (60) days from the Effective Date, if not already appointed as of the Effective Date. The HPSO shall have the background and expertise, with documentation of her or his background and expertise, in information security appropriate to the level, size, and complexity of her or his role in implementing, maintaining, and monitoring the Information Security Program. Within thirty (30) days of the employment of the HPSO, Diamond shall provide a statement, in writing to the Division that it has designated an HPSO. This writing shall also include the name of the HPSO for Diamond and documentation of her or his background and expertise.

The role of the HPSO will include regular and direct reporting to Diamond’s Executive Staff and Directors concerning Diamond’s security posture, the security risks faced by Diamond, and the security implications of Diamond’s business decisions. The HPSO shall meet and provide a report to Diamond’s Executive Staff and Directors on at least a quarterly basis. The HPSO shall report to Diamond’s Directors within twenty-four (24) hours of a confirmed Security Incident impacting 500 or more consumers residing in the United States.

Diamond shall ensure that its Information Security Program receives the resources and support reasonably necessary to function as intended

As part of its Information Security Program, Diamond shall develop, implement, and maintain a written incident response plan to prepare for and respond to Security Incidents. Diamond shall revise and update this response plan, as necessary, to adapt to any material changes that affect the security of PI, PHI, and ePHI. Such a plan shall, at a minimum, identify and describe the following phases: (i) Preparation; (ii) Detection and Analysis; (iii) Containment; (iv) Notification and Coordination with Law Enforcement; (v) Eradication; (vi) Recovery; (vii) Consumer and Regulator Notification and Remediation; and (viii) Post-Incident Analysis.

There is so much to unpack in this consent order. We’ve hit only a few of the high points. So, here is a link to the PDF for the entire NJ Division of Consumer Affairs’ Consent Order for Diamond Institute. Listen to the podcast to hear more that’s in the consent order, but I really encourage you to read the Consent Order for yourself… more than once. We certainly didn’t cover everything in this one.

So, if you want to build a privacy and security program or you are the Security Officer and want to know how to get your organization to spend more money on privacy and security and take it seriously, show this NJ Consent Order against Diamond to leadership. With the State Attorney Generals starting to take action on companies for privacy and security violations, this will not be the last one of these that we’ll hear about.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.