News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Lehigh Valley Health Network Agrees to Pay $65 Million Class Action Settlement to Patients after Ransomware Attack

Lawsuit is a strong reminder that clinical laboratories and pathology groups must take whatever steps necessary to secure their patients’ protected health information

Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, will pay out $65 million to settle a class-action lawsuit brought by the healthcare network’s own patients (identified only as “Jane Doe” in court documents) following a ransomware attack early last year in which LVHN refused to pay the ransom.

The payout may be the largest settlement for a single cyberattack to date and highlights the need for clinical laboratories and pathology groups to review their cyberattack defenses and incorporate steps to better secure patient protected health information (PHI), with one goal being to minimize the possibility of patients filing a class action lawsuit following a cyberattack.

LVHN blamed ransomware group ALPHV (a.k.a., BlackCat) for the attack, Fierce Healthcare reported. The hackers gained access to gigabytes of personal data belonging to 134,000 patients and staff members.

According to a news release LVHN issued in June, the private information the thieves obtained included, “names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. For some individuals, the information included email addresses, banking information, Social Security numbers, and driver’s license numbers. The information for a limited number of individuals included clinical images of patients during treatment.”

The case is worth attention because it casts light on what the health system administration did/did not do to prevent the data breach that enabled the hackers to post nude photos of cancer patients undergoing treatment and other patient PHI on the Internet.

“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” said Patrick Howard, JD (above), partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C., who is representing the plaintiffs in the class action lawsuit. “It wasn’t lost on anyone that that was a very significant breach.” Clinical laboratories are particularly vulnerable since as much as 80% of a patient’s health record is lab test results and other data. (Photo copyright: Saltz Mongeluzzi Bendesky P.C.)

Lawsuit Details

The class action lawsuit was filed in March 2023 by a “Jane Doe” cancer patient whose data was hacked on behalf of herself and other victims of the cyberattack. The court documents recount how the unidentified plaintiff—a woman in her 50s—was “called by the hospital’s vice president of compliance on March 6, with news that that naked images of her were now online, before offering—‘with a chuckle’—two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.”

“The pictures are really difficult to look at,” said Patrick Howard, JD, partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C. (SMB), who is representing the plaintiffs, in a news release. His legal team hired a cybersecurity expert who located the images the hackers had posted on the Dark Web, enabling them to “establish each person’s information that was actually online.”

The plaintiff’s attorney’s argued LVHN failed in its responsibility to protect patient information and were in violation of HIPAA (Health Insurance Portability and Accountability Act of 1996).

The class action lawsuit also alleges LVHN routinely took photos of naked cancer patients, sometimes without their knowledge. Some of those photos were published by BlackCat on the Dark Web. 

“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims,” the lawsuit states. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first.”

The law firm also stated this settlement is “the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case,” The Register reported.

Patients affected by the security breach were placed in relief tiers based on the private information that was stolen and leaked. The compensatory breakdown for those patients is:

  • $50 to patients whose records were hacked.
  • $1,000 to patients who had their information posted online.
  • $7,500 to patients whose non-nude photos were posted online.
  • $70,000 to $80,000 for patients who had their nude photos posted online.

“We struck the right deal,” Howard told WHYY News. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”

Game Changing Data Breach

LVHN originally announced an attack had been detected in February 2023. On March 4, 2023, the ALPHV hackers demanded a ransom in excess of $5 million from LVHN, threatening to distribute the stolen data unless the ransom was paid. LVHN refused to pay the ransom which led to the cybercriminals uploading the stolen data to the Dark Web. 

“Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” stated Brian Nester, DO, President and CEO, LVHN, in a news release.

“The type of data that was exposed, it’s a game changer,” said Carter Groome, founder and CEO of digital-risk firm First Health Advisory in the SMB news release. “This was so much more of a tangible, direct distress to those people who trusted the organization.”

“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard told WHYY News. “I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images.”

Patients had until October 21, 2024, to exclude themselves from or object to the settlement. The deadline to submit a claim form was November 3, 2024, and the final approval hearing was held on November 15, 2024.

LVHN agreed to the terms of the settlement, whilst denying any wrongdoing on its part. Individuals in the settlement class who chose to participate in the lawsuit will be sent payment automatically.

LVHN has established a website for people seeking information about the cyberattack. 

As ransomware attacks continue to increase, clinical laboratories and pathology groups should review their cyberattack defenses and determine how to better secure their patients’ protected health information. Taking necessary precautions could minimize the possibility of patient data being compromised and prevent another huge class-action lawsuit.                     

—JP Schlingman

Related Information:

Lehigh Valley Health Network Issues Cyber Incident Notification

Lehigh Valley Health Network Agrees to $65M Settlement over Ransomware Attack That Leaked Nude Photos

Lehigh Valley Health Network Data Breach Lawsuit Settled for $65 Million

Healthcare Giant to Pay $65M Settlement after Crooks Stole and Leaked Nude Patient Pics

LVHN to Pay $65M after Cyberattack, Cancer Patients’ Photos Posted on Dark Web

A Message from Brian A. Nester, DO, MBA, President and CEO, Lehigh Valley Health Network

Patients at Center of Data Breach Case Win $65M Settlement against Lehigh Valley Health Network

Health System to Pay $65 Million after Hackers Leaked Nude Patient Photos

American Associated Pharmacies Struck by Ransomware Attack

Nearly One Million Patient Records of Hospitals, Health Clinics, Medical Laboratories, and other Providers Stolen in Ransomware Attack on Medical Records Company

American Society for Clinical Pathology Website Was Hacked Last Year, Possibly Exposing Credit Card Information of Members and Online Shoppers

Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened

For a “limited time period” in 2020, the American Society for Clinical Pathology (ASCP) was the target of a cyberattack that “potentially exposed payment card data as it was

being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.

In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.

Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”

In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”

The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.

“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.

What Type of Cyberattack?

Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.

ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.

“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.

Peter-Blum-Group-Product-Manager-Google
In an interview with TechRepublic, Peter Blum (above), Group Product Manager at Google, discussed steps companies can take to proactively manage the threat of Magecart cyberattacks. “The best defense against Magecart attacks is preventing access,” Blum said. “Online companies need a solution that intercepts all of the API [application programming interface] calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.” (Photo copyright: LinkedIn.)

Federal Rules and Regulations Concerning HIPAA and PHI

The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.

With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.

Although no reported violations under the Health Insurance Portability and Accountability Act (HIPAA) occurred in this ASCP data breach, it should be noted that there are rules under HIPAA for data breaches where Protected Health Information (PHI) may have been compromised.

Under the HIPAA Breach Notification Rule, entities that were hacked must perform the following steps:

  • Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
  • Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
  • For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.

This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.

—JP Schlingman

Related Information:

World’s Largest Pathologists Association Discloses Card Incident

American Society for Clinical Pathology—Incident Notification

ASCP Disclosed Payment Card Web Skimming Incident

Magecart Attack: What It is, How it Works, and How to Prevent It

What is Magecart? How This Hacker Group Steals Payment Card Data

A Deep Dive into Magecart: What Is Magecart?

Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

University of California San Diego Researchers Demonstrates How Easily Medical Laboratory Systems and Devices Can Be Compromised, Putting Patient Lives at Risk

WannaCry Ransomware Holds Critical Data Hostage Worldwide, Including UK’s National Health Service and Russia’s Interior Ministry

UK’s NHS Will Use Amazon Alexa to Deliver Official Health Advice to Patients in the United Kingdom

Since Alexa is now programed to be compliant with HIPAA privacy rules, it’s likely similar voice assistance technologies will soon become available in US healthcare as well

Shortages of physicians and other types of caregivers—including histopathologists and pathology laboratory workers—in the United Kingdom (UK) has the UK’s National Health Service (NHS) seeking alternate ways to get patients needed health and medical information. This has prompted a partnership with Amazon to use the Alexa virtual assistant to answer patients healthcare inquiries.

Here in the United States, pathologists and clinical laboratory executives should take the time to understand this development. The fact that the NHS is willing to use a device like Alexa to help it maintain access to services expected by patients in the United Kingdom shows how rapidly the concept of “virtual clinical care” is moving to become mainstream.

If the NHS can make it work in a health system serving 66-million people, it can be expected that health insurers, hospitals, and physicians in the United States will follow that example and deploy similar virtual health services to their patients.

For these reasons, all clinical laboratories and anatomic pathology groups will want to develop a strategy as to how their organizations will interact with virtual health services and how their labs will want to deploy similar virtual patient information services.

Critical Shortages in Healthcare Services

While virtual assistants have been answering commonly-asked health questions by mining popular responses on the Internet for some time, this new agreement allows Alexa to provide government-endorsed medical advice drawn from the NHS website.

By doing this, the NHS hopes to reduce the burden on healthcare workers by making it easier for UK patients to access health information and receive answers to commonly-asked health questions directly from their homes, GeekWire reported. 

“The public needs to be able to get reliable information about their health easily and in ways they actually use. By working closely with Amazon and other tech companies, big and small, we can ensure that the millions of users looking for health information every day can get simple, validated advice at the touch of a button or voice command,” Matthew Gould, CEO of NHSX, a division of the NHS that focuses on digital initiatives, told GeekWire

The Verge reported that when the British government officially announced the partnership in a July press release, the sample questions that Alexa could answer included:

  • Alexa, how do I treat a migraine?
  • Alexa, what are the symptoms of the flu?
  • Alexa, what are the symptoms of chickenpox?

“We want to empower every patient to take better control of their healthcare and technology like this is a great example of how people can access reliable, world-leading NHS advice from the comfort of their home, reducing the pressure on our hardworking GPs (General Practitioners) and pharmacists,” said Matt Hancock, Secretary of State for Health and Social Care, in the press release.

MD Connect notes that the NHS provides healthcare services free of charge to more than 66-million individuals residing in the UK. With 1.2 million employees, the NHS is the largest employer in Europe, according to The Economist. That article also stated that the biggest problem facing the NHS is a staff shortage, citing research conducted by three independent organizations:

Their findings indicate “that NHS hospitals, mental-health providers, and community services have 100,000 vacancies, and that there are another 110,000 gaps in adult social care. If things stay on their current trajectory, the think-tanks predict that there will be 250,000 NHS vacancies in a decade,” The Economist reported.

UK’s Matt Hancock, Secretary of State for Health and Social Care (above), defends the NHS’ partnership with Amazon Alexa, saying millions already use the smart speaker for medical advice and it’s important the health service uses the “best of modern technology.” Click here to watch the video. (Video and caption copyright: Sky News.)

“This idea is certainly interesting and it has the potential to help some patients work out what kind of care they need before considering whether to seek face-to-face medical help, especially for minor ailments that rarely need a GP appointment, such as coughs and colds that can be safely treated at home,” Professor Helen Stokes-Lampard, Chairman at the Royal College of General Practitioners, and Chair of the Board Of Directors/Trustees at National Academy of Social Prescribing, told Sky News.

“However,” she continued, “it is vital that independent research is done to ensure that the advice given is safe, otherwise it could prevent people seeking proper medical help and create even more pressure on our overstretched GP service.”

Amazon has assured consumers that all data obtained by Alexa through the NHS partnership will be encrypted to ensure privacy and security, MD Connect notes. Amazon also promised that the personal information will not be shared or sold to third parties.

Alexa Now HIPAA Compliant in the US

This new agreement with the UK follows the announcement in April of a new Alexa Skills Kit that “enables select Covered Entities and their Business Associates, subject to the US Health Insurance Portability and Accountability Act of 1996 (HIPAA), to build Alexa skills that transmit and receive protected health information (PHI) as part of an invite-only program. Six new Alexa healthcare skills from industry-leading healthcare providers, payors, pharmacy benefit managers, and digital health coaching companies are now operating in our HIPAA-eligible environment.”

Developers of voice assistance technologies can freely use these Alexa skills, which are “designed to help customers manage a variety of healthcare needs at home simply using voice—whether it’s booking a medical appointment, accessing hospital post-discharge instructions, checking on the status of a prescription delivery, and more,” an Amazon Developer Alexa blog states.

The blog lists the HIPAA-compliant Alexa skills as:

  • Express Scripts: Members can check the status of a home delivery prescription and can request Alexa notifications when their prescription orders are shipped.
  • Cigna Health Today by Cigna (NYSE:CI): Eligible employees with one of Cigna’s large national accounts can now manage their health improvement goals and increase opportunities for earning personalized wellness incentives.
  • My Children’s Enhanced Recovery After Surgery (ERAS) (by Boston Children’s Hospital: Parents and caregivers of children in the ERAS program can provide their care teams updates on recovery progress and receive information regarding their post-op appointments.
  • Swedish Health Connect by Providence St. Joseph Health, a healthcare system with 51 hospitals across seven states and 829 clinics: Customers can find an urgent care center near them and schedule a same-day appointment.
  • Atrium Health, a healthcare system with more than 40 hospitals and 900 care locations throughout North and South Carolina and Georgia: Customers in North and South Carolina can find an urgent care location near them and schedule a same-day appointment.
  • Livongo, a digital health company that creates new and different experiences for people with chronic conditions: Members can query their last blood sugar reading, blood sugar measurement trends, and receive insights and Health Nudges that are personalized to them.

HIPAA Journal notes: “This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of HIPAA Privacy Rules, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.”

Steady increases associated with the costs of medical care combined with a shortage of healthcare professionals on both continents are driving trends that motivate government health programs and providers to experiment with non-traditional ways to interact with patients.

New digital and Artificial Intelligence (AI) tools like Alexa may continue to emerge as methods for providing care—including clinical laboratory and pathology advice—to healthcare consumers.

—JP Schlingman

Related Information:

“Alexa, How Do I Treat a Migraine?” Amazon and NHS Unveil Partnership

Amazon’s Alexa Will Deliver NHS Medical Advice in the UK

NHS Health Information Available Through Amazon’s Alexa

UK’s National Health Service Taps Amazon’s Alexa to Field Common Medical Questions

What Happens When Amazon Alexa Gives Health Advice?

Alexa, Where Are the Legal Limits on What Amazon Can Do with My Health Data?

Amazon Alexa Offering NHS Health Advice

A Shortage of Staff Is the Biggest Problem Facing the NHS

Need Quick Medical Advice in Britain? Ask Alexa

Alexa Blogs: Introducing New Alexa Healthcare Skills

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Amazon Alexa Is Now HIPAA-Compliant: Tech Giant Says Health Data Can Now Be Accessed Securely

Can Artificial Intelligence Diagnose Skin Cancers More Accurately than Anatomic Pathologists? Heidelberg University Researchers Say “Yes”

Apple Updates Its Mobile Health Apps, While Microsoft Shifts Its Focus to Artificial Intelligence. Both Will Transform Healthcare, But Which Will Impact Clinical Laboratories the Most?

As Primary Care Providers and Health Insurers Embrace Telehealth, How Will Clinical Laboratories Provide Medical Lab Testing Services?

VA Engages Private Sector Companies in Major Telehealth Initiative to Bring Critical Healthcare Services to Thousands of Veterans Living in Remote Areas

HHS Announces Culpability Limits for HIPAA Violations, Drops Annual Fines Owed by Providers

Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties

Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.

The first public statements made by clinical lab companies about breaches of protected health information were issued in June. Collectively, the following three lab companies announced that the data of more than 20 million patients was compromised:

In the eight weeks that followed, additional medical laboratory companies publicly disclosed breaches of their patient data, including:

What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.

Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.

Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:

  • No Knowledge, $100-$50,000 fine, $1.5 mil annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.

Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” In it, HHS revised its interpretation of the law and reduced CMPs, while more clearly defining how provider culpability ties to the ultimate amount of the fines:

  • No Knowledge, $100-$50,000 fine, $25,000 annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit

In the notice, HHS stated, “the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [interim final rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.”

Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”

Thus, the new HHS guidelines will be of interest to clinical laboratories, which must ensure the privacy of patients’ PHI, including being keenly aware of how vendor business associates are handling their patients’ data.

In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)

Did HHS Go Too Far?

Some experts, however, wonder if HHS went too far in reducing annual penalties providers may owe. Could lower annual CMP caps cause organizations to relax strict PHI policies? Some privacy authorities urge caution and raise concern about how incentives may be perceived by providers and others.

“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.

“Arguably,” she continued, “the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 10 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000, which is the annual cap.”

New Annual Limits Recognize ‘Unintentional’ Violations

But not all experts agree. Prior to HHS’ announcement, minimum to maximum penalty violations were the same as noted in the tiers above. The annual limits ($1.5 million), however, were the same for each of the four tiers.

Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow? While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” he told FierceHealthcare.

Advice for Clinical Laboratories

Labs are advised to develop appropriate procedures to safeguard their patients’ PHI under federal and state laws. And this includes knowing how vendors handle PHI. 

“Every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach,” James Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins in Bloomfield Hills, Mich., told The Dark Report (TDR).

“By being prepared, clinical laboratories can save themselves many headaches,” he said. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.”

Following that advice, along with understanding the new HHS notice, will help medical laboratory managers ensure the privacy and security of their client’s PHI.

—Donna Marie Pocius

Related Information:

HHS Implements HIPAA Fine Caps Based on Level of Culpability

Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties

HHS Moves to Reduce HIPAA Fines Lowering the Cap More Than $M for Some Violations

HHS to Cap HIPAA Fines Based on “Culpability”

Labs Should Heed Lessons from Huge Data Breach

Late-Breaking Lab News: Add Eight More Laboratories to the List of Lab Companies Whose Patient Data Were Breached

DOJ Pursues Organizations That Falsely Claim Compliance with Medicare’s EHR Incentive Programs

Clinical laboratories that interface with hospital EHR systems under scrutiny by the DOJ could be drawn into the investigations

Officials at the federal US Department of Justice (DOJ) continue to pursue fraud cases involving health systems that allegedly have falsely attested to complying with the Medicare and Medicaid electronic health record (EHR) adoption incentive programs (now known as the Promoting Interoperability Programs).

This is important for clinical laboratory leaders to watch, because medical labs often interface with hospital EHRs to exchange vital patient data, a key component of complying with Medicare’s EHR incentive programs. If claims of interoperability are shown to be false, could labs engaged with those hospital systems under scrutiny be drawn into the DOJ’s investigations?

Violating the False Claims Act

In May, Coffey Health System (CHS), which includes Coffey County Hospital, a 25-bed critical access hospital located in Burlington, Kan., agreed to pay the US government a total of $250,000 to settle a claim that it violated the False Claims Act.

CHS’ former CIO filed the qui tam (aka, whistleblower) lawsuit, which allows individuals to sue on behalf of the government and share in monetary recovery. He alleged that CHS provided false information to the government about being in compliance with security standards to receive incentive payments under the EHR Incentive Program.

According to a DOJ press release, “the United States alleged that Coffey Health System falsely attested that it conducted and/or reviewed security risk analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013. The government contended that the hospital submitted false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program.”

“Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records,” said Stephen McAllister (above), United States Attorney for the District of Kansas, in the DOJ press release. “This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.” (Photo copyright: US Department of Justice.)

How Providers Receive EHR Incentive Program Funds

The original EHR Adoption Incentive Program was part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The federal government enacted the program as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), which was an amendment to the Health Insurance Portability and Accountability Act (HIPAA). 

The Recovery Act allocated $25 billion to incentivize healthcare professionals and facilities to adopt and demonstrate meaningful use (MU) of electronic health records by January 1, 2014. The federal Centers for Medicare and Medicaid Services (CMS) released the incentive funds when providers attested to accomplishing specific goals set by the program.

The website of the Office of the National Coordinator for Health Information Technology (ONC), HealthIt.gov, defines “meaningful use” as the use of digital medical and health records to:

  • Improve quality, safety, efficiency, and reduce health disparities;
  • Engage patients and their families;
  • Improve care coordination and population and public health; and
  • Maintain privacy and security of patient health information.

The purpose of the HITECH Act was to address privacy and security concerns linked to electronic storage and transference of protected health information (PHI). HITECH encourages healthcare organizations to update their health records and record systems, and it offers financial incentives to institutions that are in compliance with the requirements of the program.

When eligible professionals or eligible hospitals attest to being in compliance with Medicare’s EHR incentive program requirements, they can file claims for federal funds, which are paid and audited by the Department of Health and Human Services (HHS) through Medicare and Medicaid.

Institutions receiving funds must demonstrate meaningful use of EHR records or risk potential penalties, including the delay or cancellation of future payments and full reimbursement of payments already received. In addition, false statements submitted in filed documents are subject to criminal laws and civil penalties at both the state and federal levels.

EHR Developers Under Scrutiny by DOJ

EHR vendors also have been investigated and ordered to make restitutions by the DOJ. 

In February, Greenway Health, a Tampa-based EHR developer, agree to pay $57.25 million to resolve allegations related to the False Claims Act. In this case, the government contended that Greenway obtained certification for its “Prime Suite” EHR even though the technology did not meet the requirements for meaningful use.

And EHR vendor eClinicalWorks paid the government $155 million to settle allegations under the False Claims Act. The government maintained that eClinicalWorks misrepresented the capabilities of their software and provided $392,000 in kickbacks to customers who promoted its product. 

Legal cases such as these demonstrate that the DOJ will pursue both vendors and healthcare organizations that misrepresent their products or falsely attest to interoperability under the terms laid out by Medicare’s EHR Incentive Program.

Clinical laboratory leaders and pathology groups should carefully study these cases. This knowledge may be helpful when they are asked to create and maintain interfaces to exchange patient data with client EHRs.

—JP Schlingman

Related Information:

DOJ Pursues More Electronic Health Records Cases

Electronic Health Records Vendor to Pay $57.25 Million to Settle False Claims Act Allegations  

Electronic Health Records Vendor to Pay $155 Million to Settle False Claims Act Allegations

Kansas Hospital Agrees to Pay $250,000 to Settle False Claims Act Allegations

EHR Sales Reached $31.5 Billion in 2018 Despite Concerns over Usability, Interoperability, and Ties to Medical Errors

;