Veterinary Network Hit with Ransomware

By Linn Foster Freedman on December 5, 2019 Posted in Cybersecurity

National Veterinary Associates (NVA), a large network of veterinary hospitals and clinics, has reportedly been the victim of a ransomware attack. According to the reports, NVA employs more than 2,600 veterinarians, with over 700 veterinary hospitals and clinics in the U.S., Canada, Australia, and New Zealand.

NVA was reportedly hit with the Ryuk ransomware virus, which caused many of its hospitals and clinics to interrupt care to animals because they couldn’t access their records of treatment.

Ryuk has been notorious for hitting hospitals and clinics, and apparently it does not discriminate between humans and four-legged, furry or feathered patients. Either way, it causes havoc on the ability to take care of patients.

Medicare Beneficiary Cards of 220,000 Individuals Compromised

By Linn Foster Freedman on December 5, 2019 Posted in Cybersecurity

The Centers for Medicare and Medicaid (CMS) has announced that approximately 220,000 Medicare beneficiaries’ card numbers have been compromised “by an unknown person or organization.” That means CMS doesn’t know who or how the cards were compromised.

Although CMS says it is working to “remedy the situation,” in the meantime, it is checking billing systems to prevent billing fraud and, if it suspects fraud, it will terminate the card number and issue the Medicare beneficiary a new card.

Until then, advocates for senior suggest that recipients:

Open any mail they receive from CMS, as it may contain a new Medicare card with a new number;
Call 1-800-MEDICARE upon receiving a new Medicare card to confirm that you have indeed been issued a new card (this means that your old number was probably compromised);
Bring your new card to all of your appointments so your providers will be aware that you have been issued a new number;
Check your Explanation of Benefits statements closely to make sure they reflect the services you have received;
Report any suspicious billing to 1-800-MEDICARE; and
Remember that Medicare does not call you—you call them. If you receive a call from “Medicare” or CMS, it is a scam.

Please share this information with the seniors in your life so they are aware of these tips.

On the Border Restaurant Suffers Data Breach

By Kathryn Rattigan on December 5, 2019 Posted in Data Breach

Last week, the Tex-Mex restaurant chain On the Border suffered a data breach that impacted its payment acceptance systems in 27 states. The restaurant says that some credit card information of customers who visited the chain between April and August 2019 may have been compromised. In a press release, On the Border representatives said, “Our company has retained a leading forensics firm and is currently investigating the extent to which information in On the Border’s systems has been impacted. We are cooperating with law enforcement and have also notified payment card networks of the investigation.”

The states that have impacted restaurants include Arizona, Arkansas, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Iowa, Kansas, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, and Virginia.

The breach resulted from malware being installed on a payment processing system that accessed customer credit card data. This incident did not affect all customers or all catering orders. On the Border has taken steps to contain and remediate the breach.

Biometric Information Litigation Update

By Linn Foster Freedman on December 5, 2019 Posted in New + Now

Despite repeated warnings, companies continue to be hammered with class action lawsuits for violation of the Illinois Biometric Information Privacy Act (BIPA) [view related posts].

BIPA requires that any company that is collecting, using and disclosing biometric information (such as facial recognition, iris scans, fingerprints, DNA testing, to name a few) must basically obtain consent before collecting the information; tell the individual why they are collecting it and what they are doing with it; protect the information while it is in the company’s possession; and destroy it when it no longer has a business purpose to keep it. That is the crib version of the statute.

Companies continue to collect fingerprints of employees for time accounting (instead of the old method of punching in and out), but if they don’t get consent, tell the employees why they are collecting the prints, what they are doing with them, and whether they will or will not destroy them, they often find themselves being sued.

The companies that have recently been hit with class action suits for violation of BIPA include: Caterpillar, Keurig, Pepsi, WeWork and Juul. Of course, Facebook and Shutterfly were the early victims. (We used to write about each such lawsuit, but now they are popping up so frequently that we are aggregating them in one post.)

A particularly interesting recent case is one against Octapharma Plasma, Inc. (OPI). In the Complaint, the plaintiff alleges that OPI “operates a chain of blood plasma donation centers throughout the State of Illinois…” and that “when consumers donate plasma…they are required to scan their fingerprints and enroll in Octapharma’s customer membership database.”

The case points out that when people come in to donate plasma, they must scan their fingerprints; more conventional methods are to use a registration card for identification. Registration cards can be replaced if they are lost or stolen, but fingerprints cannot be replaced, and if the database were to be compromised, this loss would cause risk to those whose fingerprints are contained in the database.

The suit states that OPI is in violation of BIPA because it failed “to adequately inform its customers of the complete purposes for which it collects their sensitive biometric data or to whom the data is disclosed, if at all…” and “failed to provide customers with a written, publicly available policy identifying the retention schedule, and guidelines for permanently destroying their fingerprints.”

This and other cases illustrate how easy it is to get caught in the web of BIPA-related class action litigation. If you are collecting biometric information, be aware of BIPA (and other state laws) that require transparency and consent, and address these requirements in your compliance program.

Aviation Groups Urge House and Senate Committees to Reject Drone Legislation

By Kathryn Rattigan on December 5, 2019 Posted in Drones

In a letter submitted last month to the chairmen and ranking members of the House of Representatives Committee on Transportation and Infrastructure and its aviation subcommittee, the Aircraft Owners and Pilots Association (AOPA) and other aviation industry groups urged the panels to oppose the Drone Integration and Zoning Act, S.2607. This Act “proposes enabling thousands of local governments in the United States to impose their own restrictions on commercial [unmanned aerial systems (UAS or drones)] air carrier operations.”

The groups believe that passing the Act before the U.S. Department of Transportation (DOT) UAS Integration Pilot Program wraps up would be premature. The pilot program is focused on determining how state and local entities can work with DOT and the Federal Aviation Administration (FAA) “to craft new rules that support more complex low-altitude operations” that drone integration would bring about.

The group believes that the Act would undo a long-established regulatory structure that AOPA says is integral to aviation safety. We will see if the industry’s strong stance affects the outcome of this Act.

Privacy Tip #218 – FBI Considers FaceApp a Counterintelligence Threat

By Linn Foster Freedman on December 5, 2019 Posted in Privacy Tips

For those of you who have downloaded the face editing app FaceApp, please note that the Federal Bureau of Investigation (FBI) has classified FaceApp as a counterintelligence threat because of its Russian origins.

According to the FBI, “[T]he FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat, based on the data the product collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia’s borders.”

When the FBI considers an app a security threat to the U.S., we all should. Downloading apps in general is risky, but downloading apps based in foreign countries that are trying to obtain information about U.S. citizens – and in fact are obtaining information from unwitting U.S. citizens – is potentially putting us in danger.

Now is the time to perform app hygiene. Check the apps on your phone to determine whether you are using them or not. If you aren’t using them, delete them. There is no reason to continue to allow them to collect your information if you are not using them and getting a benefit from them. If you are using them and can’t live without them, do some due diligence to determine the background of the app, read the Privacy Policy and Terms of Use to know what they are collecting and using about you, and delete the app if your gut tells you something’s not right. If you have downloaded FaceApp, that would be the first one to delete.

Misdirected Hospital Bills Lead to $2.175 Million HIPAA Settlement

By Conor Duffy on December 3, 2019 Posted in Health Information Privacy, HIPAA and Health Information

On November 27, 2019, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a $2.175 million dollar settlement with a hospital system to resolve alleged violations of HIPAA’s Breach Notification Rule and Privacy Rule. The settlement is noteworthy as it represents OCR’s fourth HIPAA settlement in excess of $1 million dollars in just over a month [See our coverage of recent enforcement actions here and here].

The settlement with a 10-hospital system arises from a complaint filed in April 2017 by an individual who claimed the system sent a bill to the complainant that contained another patient’s PHI. According to OCR, an investigation subsequently showed that billing statements for 577 patients had been improperly merged with different guarantor’s mailing labels, resulting in the improper disclosure of the PHI of those 577 individuals. OCR also alleges that after conducting a risk assessment, the hospital system only provided breach notification to eight affected individuals. In its announcement of the settlement, OCR states that the system “incorrectly” concluded that only disclosures that include a patient diagnosis, treatment information or other medical information are reportable, and that the system had not properly reported the breach even after being advised by OCR of the duty to do so.

OCR’s investigation further indicated that the parent corporation of the hospital system provided business associate services to the subsidiary hospitals, but did not have a business associate agreement in place.

In addition to the $2.175 million monetary payment, as part of the settlement the hospital system agreed to a two-year corrective action plan (CAP). The CAP requires the system to develop and submit written policies and procedures for Breach Notification Rule compliance for approval by OCR. The approved policies and procedures must be distributed to workforce members, who in turn are required to certify that they have read, understood, and will abide by the policies and procedures. The CAP also requires the system to submit an implementation report to OCR, followed by annual reports that include information on any reportable events of non-compliance with the CAP.

This settlement provides an important reminder to hospital systems of the broad scope of the Breach Notification Rule, and the significant potential regulatory penalties for non-compliance with HIPAA when carrying out billing activities. Hospital systems structured to allow a parent corporation to provide certain administrative tasks on behalf of subsidiary hospitals would also be well advised to ensure that any business associate services furnished to covered entity subsidiaries by the parent (or other system entities) are addressed in a business associate agreement.

The Future of Stablecoins—Anything But Stable?

By Norman Roos on December 2, 2019 Posted in Virtual Currency

Stablecoin currencies such as Facebook’s Libra may pose systemic risks to the global financial system, according to a recently released Federal Reserve Report (the Fed). In its Financial Stability Report released on November 19th, the Fed states that a global stablecoin network, if poorly designed and unregulated, could pose risks to financial stability and that the failure of a stablecoin currency to operate as expected could disrupt other parts of the financial system.

These concerns are not surprising in light of the regulatory scrutiny focused on virtual currency developments, starting with the advent of Bitcoin. That being said, “stablecoins” are, as the name suggests, intended to avoid the risky fluctuations in currency value associated with Bitcoin and other traditional cryptocurrencies by pegging the value of the stablecoin to an existing currency and backing the stablecoins with actual currency or other assets.

Nonethless, stablecoins share many of the same risks associated with other cryptocurrencies. In this regard, the Fed report warns that the anonymity often found in stablecoins can facilitate money laundering, terrorist financing and other financial crimes.

To address these risks, the Federal Reserve and other regulators are closely monitoring stablecoin currencies such as Libra to ensure that any stablecoin system with a global scope and scale satisfactorily addresses legal and regulatory challenges before it operates. In particular, regulators in many jurisdictions have made it clear that stablecoin issuers, operators, and intermediaries are responsible for preventing their systems from being used by criminals to obscure their identity, location, and transactional activity, and for ensuring compliance with anti-money-laundering and counter-terrorist-financing laws and regulations in each jurisdiction in which they operate.”

The report also warns that, as with any other financial product, stablecoin currency platforms must contain adequate consumer and investor protections such as transparency as to fees, costs, and risks, as well as privacy protection and protection against fraudulent transactions.

The report comes months after Facebook proposed launching its Libra global cryptocurrency initiative, an initiative that has elicited significant concerns from lawmakers and regulators.

2.2 Million GateHub and RuneScape Passwords Compromised

By Linn Foster Freedman on November 21, 2019 Posted in Cybersecurity, Virtual Currency

It has been reported by Troy Hunt, the security researcher who provides the “Have I Been Pwned” free breach notification service, that 1.4 million passwords and personal information of customers of GateHub, a cryptocurrency wallet service provider, and 800,000 customers of EpicBot gaming bot provider RuneScape are for sale on the web.

According to Hunt, that personal information includes email addresses and passwords that were cryptographically hashed with bcrypt, as well as two-factor authentication keys, mnemonic phrases, wallet hashes, user names and IP addresses.

Security researchers are suggesting that users of these two services change their passwords as soon as possible, replace mnemonic phrases, change passwords of any other sites where the same password may have been used, and be wary of spear-phishing attacks.

Texas Health and Human Services Fined $1.6 Million for HIPAA Violations

By Linn Foster Freedman on November 21, 2019 Posted in Health Information Privacy, HIPAA and Health Information

The Office for Civil Rights (OCR) announced that it has fined the Texas Health and Human Services Commission (TXHHS) $1.6 million for HIPAA violations. This is one of the few fines the OCR has levied against a state agency.

The fine centers around a data breach that TXHHS self-reported to the OCR in June 2015 regarding the personal health information (PHI) of 6,617 individuals that was viewed over the Internet. The information that is publicly accessible includes the individuals’ names, addresses, Social Security numbers and treatment information.

The OCR found that in addition to the data breach, TXHHS failed to conduct an enterprise-wide security risk analysis, failed to implement access and audit controls on the information technology system, and was unable to determine how many people accessed the PHI while it was publicly accessible.

The fines imposed were for violations that occurred from 2013 to 2019 and were for the maximum amounts proposed by the OCR to be assessed against TXHHS. Although the OCR provided TXHHS with the opportunity to provide “written evidence of mitigating factors or affirmative defenses and/or written evidence in support of a waiver of a CMP within thirty (30) days from the date of the receipt of the letter,” TXHHS did not respond.

According to the OCR, “No one should have to worry about their private health information being discoverable through a Google search.”

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law (i.e., jurisdictions other than Connecticut, Massachusetts, and various federal courts).