Privacy Notes: April 2023 | Healthcare Compliance Association (HCCA) [Boss Insurance]

Health Care Compliance Association (HCCA)

[author: Jane Anderson]

Patient Privacy Report Volume 23, Issue 4. April 2023

The personal information of federal lawmakers and congressional staffers was available on the dark web following a breach of DC Health Link, the Washington, DC health insurance marketplace[1] In an internal memo sent to U.S. House of Representatives staffers, House Administrative Director Catherine Szpindor informed recipients of the “significant data breach” and warned them that their data could be damaged. been compromised. DC Health Link is working with forensic investigators, Szpindor said. The FBI has confirmed that account information and personal information belonging to House members and staff were stolen, although it does not appear that they were specifically targeted in the attack. The FBI also said that while it believed the people selling the stolen information did not appear to be aware of its “high-level sensitivity” at the time, continued publicity of the event would “certainly change”. that. At least 17 current or former members of Congress have had personal information exposed, according to CBS News.[2] Rep. Joe Morelle (DN.Y.) said hundreds of congressional staffers may also have had their personally identifiable information breached. Morelle, the top Democrat on the House Committee on House Administration, said the panel launched a review of the breach, in part to gauge how many people who work in Congress have seen sensitive information. exhibited. DC Health Link said in a statement that the breach affected 56,415 people. The organization said it identified two distinct groups of people affected by the breach.[3] Group 1 includes people whose information has been publicly posted on the dark web; those people will get three years of free identity and credit monitoring services, DC Health Link said. Group 2 includes people whose information has been stored in the same way as Group 1 but whose information has not been published online. “These individuals are being notified with great caution as we cannot say with certainty that their information has been compromised as we have no evidence of access or download,” the DC Health Link statement read. Everyone in Group 2 will also get three years of free identity and credit monitoring services. At least two lawsuits against DC Health Link for the violation have been filed and are seeking class action status.

Miami-based Independent Living Systems LLC (ILS), a business associate of two Covered Entity subsidiaries that provide home and community programs for highly complex member populations in the Medicare, Medicaid and dual-eligibility markets, reported a data breach affecting up to 4.2 million people, the largest to date in 2023.[4] According to the company’s breach notification, the company “experienced an incident involving the inaccessibility of certain computer systems on our network” on July 5, 2022. “Through our response efforts, we learned that an actor unauthorized user had gained access to certain ILS systems between June 30 and July 5, 2022. During this period, the unauthorized user acquired certain information stored on the ILS network, and other information was accessed and potentially viewed. information that may have been impacted includes: names, addresses, dates of birth, driver’s license numbers, state identification numbers, social security numbers, financial account information, medical record numbers, Medicare identification or Medicaid, mental or physical treatment and health status information, food delivery information, diagnosis code or diagnosis information, admission/discharge dates, prescription information, billing/claims information and health insurance information. Several lawsuits have been filed against ILS for the data breach.

A cancer patient whose nude photos and medical records were posted online after a ransomware gang stole them has sued her healthcare provider for allowing the ‘preventable’ and ‘severely harmful’ leak “.[5] The proposed class action stems from a February hack, in which ransomware group BlackCat broke into one of the Lehigh Valley Health Network (LVHN) physician networks. BlackCat stole images of patients undergoing radiation oncology treatment and other sensitive health records belonging to more than 75,000 people, then demanded ransom payment to decrypt the files and prevent them from being published online . BlackCat specifically warned that it would post nude photos of patients. LVHN refused to pay the ransom, and in March BlackCat began leaking patient information, including images of at least two breast cancer patients naked from the waist up. At the time, a spokesperson for LVHN released a statement saying “LVHN condemns this despicable behavior.” According to the lawsuit,[6] the plaintiff, identified as “Jane Doe”, had no idea that LVHN was storing nude photos of her. The Complainant stated that she became aware of the images during a phone call: “On March 6, 2023, LVHN’s Vice President of Compliance, Mary Ann LaRock, contacted the Complainant by telephone and informed her that images nudes of her taken during radiation therapy had been posted on the dark web by the hackers.Ms. LaRock offered the plaintiff an apology and, with a chuckle, two years of credit monitoring.Ms. LaRock informed the plaintiff that her Sensitive information was stolen during the data breach, likely including his address, email address, date of birth, social security number, health insurance provider, medical diagnosis/ medical treatment, medications and lab results, in addition to now public photographs of her receiving treatment for breast cancer.

UC San Diego Health advises patients that one of its business associates, Solv Health, has used analysis tools known as pixels on its Urgent Care and Express Care clinic scheduling websites and that these tools captured and transmitted information to third-party tool providers. . Solv Health hosted and managed the UC San Diego Health scheduling websites for five sites; those who used the scheduling website between September 13 and December 22, 2022 to book appointments for in-person or video visits may have been affected. The tools may have captured first and last names, birth dates, email addresses, IP addresses, third-party cookies, reason for visit and type of insurance, UC San Diego Health said. The health system said it has moved to a new online scheduling tool for those five clinics.[7]

Telehealth startup Cerebral said it has shared private health information, including mental health assessments, of more than 3.1 million patients in the United States with advertisers and social media companies such as Facebook, Google and TikTok via embedded pixels on its website. Cerebral said in its breach notice that it has been using tracking technologies since beginning operations in October 2019; it recently determined that it disclosed protected health information to third parties and certain contractors. The information disclosed varied but could have included names, phone numbers, email addresses, dates of birth, IP addresses, brain client ID numbers and other demographic information. Individuals who have completed part of Cerebral’s online mental health assessment may also have disclosed the individual’s selected service, assessment responses, and certain associated health information. Individuals who have purchased a subscription plan from Cerebral may also have disclosed the type of subscription plan, appointment dates and other booking information, treatment and other clinical information, information on health insurance/pharmacy benefits and the amounts of the insurance co-payments.[8]

Oregon Health System Asante is notifying some of its patients that a local physician, Dr. Paul Hoffman, improperly accessed patient records for nine years, beginning in 2014. “Asante’s investigation indicates that Dr. Hoffman accessed the records out of curiosity rather than for fraudulent purposes,” the health system said in a statement. “Asante does not believe that potentially affected patients should take action in response to this incident or that this incident increases their risk of identity theft.” Asante said Hoffman did not have access to the patients’ social security numbers, driver’s license numbers or banking information. The health system said it reported Hoffman to the Oregon Medical Board.[9]


1 C. Mandler, ““Massive” breach sells DC Health Link user data on dark web,” CBS News, March 8, 2023, https://cbsn.ws/3Kpp5li.

2 Scott MacFarlane, “At Least 17 Members of Congress Had Sensitive Information Exposed in Data Breach,” CBS News, March 21, 2023, https://cbsn.ws/3lUMVfA.

3 DC Health Link, “Data Breach: Incident Response Updates,” https://bit.ly/42WeKEQ.

4 Independent Living Systems, LLC, “Additional Data Event Notice,” March 14, 2023, https://bit.ly/3Ga3fA1.

5 Jessica Lyons Hardcastle, “Cancer Patient Sues Hospital After Ransomware Gang Leaks Her Naked Medical Photos” The registerMarch 15, 2023, https://bit.ly/40Q6g0e.

6 Jane Doe c. Lehigh Valley Heath Network, Inc., Lackawanna County, Pennsylvania, Case No. 23CV1149, filed March 13, 2023, https://bit.ly/3lZlqBn.

7 UC San Diego Health, “UC San Diego Health notifies patients of provider data collection issue,” UC San Diego todayMarch 16, 2023, https://bit.ly/3lXAKhQ.

8 Cerebral, “Notice of HIPAA Privacy Breach,” accessed April 3, 2023, https://bit.ly/3nCgK4Z.

9 Derek Strom, “Asante notifying patients of possible privacy breach,” KOBI5.com, March 7, 2023, https://bit.ly/3K6rfVE.

[View source.]