Imagine using one of the latest apps to track efforts to become pregnant, and entering data about fertility, a monthly cycle, even sexual activity. What happens if the app is shoddy, doesn’t contain basic security protection and doesn’t follow HIPAA? Or, if a patient goes to a fertility clinic for help, and the clinic didn’t follow HIPAA, what happens to the patient’s protected health information when malware hits?
Some of the most sensitive and private information a person has relates to their sexual and reproductive health. Two large recent cybersecurity incidents illustrate the importance of protecting the privacy and security of patient information.
Ransomware Attack on US Fertility
US Fertility (USF), one of the largest fertility clinics in the country has been hit with ransomware, jeopardizing patients’ protected health information. USF has clinics in 55 locations across 10 states. USF announced the ransomware in late November, noting it occurred September 14, 2020. The number of patients affected is not yet known.
“On September 14, 2020, USF experienced an IT security event [..] that involved the inaccessibility of certain computer systems on our network as a result of a malware infection,” USF said in an official statement.
“Through our immediate investigation and response, we determined that data on a number of servers and workstations connected to our domain had been encrypted by ransomware.”
USF went offline, taking down its servers and workstations after discovering the attack. Later it was able to restore them with the help of third-party computer forensic specialists and come back online on September 20.
The fertility network also notified federal law enforcement and continues to cooperate with them in the cybersecurity investigation.
Patient information stolen in the attack includes names, addresses, dates of birth, MPI (master patient index) numbers, and social security numbers. Although the patient data theft was confirmed, USF also states that it has no evidence of actual misuse of patients’ information. However under HIPAA, the theft alone triggers the breach notification rule, and unless USF can prove a “low probability of compromise of the patient data”, it must be reported to the Office for Civil Rights (OCR), which enforces HIPAA, and each patient affected must be notified.
Health Data Fertility App Not Secure
The California Attorney General has sued the maker of a reproductive health app, under state law, for failing to protect the privacy of patients using the app.
The company offers a mobile application called Glow (the “Glow app”), which is marketed as an ovulation and fertility tracker. The Glow app collects and stores deeply sensitive personal and medical information related to a user’s menstruation, sexual activity, and fertility. The Glow app can track: medications, fertility test results, past and upcoming medical appointments, complete medical records, and ovulation-cycle calculations. Users can also track intimate details of their sexual experiences and efforts to become pregnant, as well as document pregnancy histories, including miscarriages, abortions, and stillbirths.
The lawsuit claims that the company violated California consumer and health privacy laws because it:
- failed to preserve the confidentiality of medical information, and
- disclosed medical information without first obtaining a user’s authorization, and
- failed to implement reasonable data security procedures to protect personal information, which includes medical information.
The laws on which the lawsuit is based are the California’s Confidentiality of Medical Information Act (“CMIA”), Unfair Competition Law (“UCL”), and False Advertising Law (“FAL”).
The California health privacy laws are very similar to HIPAA, a federal law. Although the lawsuit is under state law and currently doesn’t include HIPAA, it’s very possible the Glow app will be investigated by OCR for HIPAA violations.
Beware State Privacy Laws and Class Actions in Federal Court
We’ve written before about lawsuits being the new frontier of HIPAA compliance.
Lawsuits can come from individuals suing under state privacy and consumer protection laws, or from state Attorneys General, as in the fertility app case described above. And the cases from individuals can mushroom into class action lawsuits under federal contract and negligence laws, like the ones against American Medical Collection Agency (AMCA) last year.
HIPAA Compliance is Easy and Prevents Breaches
To prevent breaches, and reduce the chances of being investigated or sued, the best defense is a strong HIPAA compliance program.
State privacy laws mirror HIPAA, so HIPAA compliance is good insurance against violations of similar laws. Some states are more strict than HIPAA, and in those cases, be sure to comply with the more strict requirements so both are covered.
A private lawsuit, like the class action cases against AMCA, will use standards of care from HIPAA to prove that the healthcare provider or business associate didn’t follow best practices, and failed at HIPAA compliance. Judges are starting to listen to this argument and agree.
If you have questions about how to comply with HIPAA and prevent a big breach, call The HIPAA E-Tool®.