Apr 10, 2023

Privacy Briefs: April 2023 To embed, copy and paste the code into your website or blog: <iframe frameborder="1" height="620" scrolling="auto" src="//www.jdsupra.com/post/contentViewerEmbed.aspx?fid=7db4ab7b-850e-455d-820f-db56f4f86622" style="border: 2px solid #ccc; overflow-x:hidden !important; overflow:hidden;" width="100%"></iframe> ​ ◆ Personal information from federal lawmakers and congressional staff members was available on the dark web following a breach of DC Health Link, the health insurance marketplace for Washington, D.C. [1] In an internal memo sent to U.S. House of Representatives staff members, House Chief Administrative Officer Catherine Szpindor informed recipients of the “significant data breach,” and warned them their data may have been compromised. DC Health Link is working with forensic investigators, Szpindor said. The FBI confirmed that account information and personal information belonging to House members and staff was stolen, although it does not appear they were specifically targeted in the attack. The FBI also said that while they believe the individuals selling the stolen information did not seem to be aware of its “high-level sensitivity” at the time, continued publicizing of the event would “certainly change” that. At least 17 current or former members of Congress had personal information exposed, according to CBS News. [2] Rep. Joe Morelle (D-N.Y.) said hundreds of congressional staff may also have suffered a breach of their personally identifiable information. Morelle, the top Democrat on the House Committee on House Administration, said the panel has launched a review of the breach, in part to measure how many people who work in Congress have had sensitive information exposed. DC Health Link said in a statement that the breach impacted 56,415 individuals. The organization said it has identified two distinct groups of people impacted by the breach. [3] Group 1 includes individuals whose information was posted publicly on the dark web; those individuals will be provided with three years of free identity and credit monitoring services, DC Health Link said. Group 2 includes individuals whose information was stored in the same manner as those in Group 1 but whose information hasn’t been published online. “These individuals are being notified in an abundance of caution as we cannot say with certainty their information was compromised because we have no evidence of access or download,” DC Health Link’s statement said. All individuals in Group 2 will also be provided with three years of free identity and credit monitoring services. At least two lawsuits against DC Health Link over the breach have been filed and are seeking class-action status. ◆ Miami-based Independent Living Systems LLC (ILS), a business associate to two covered-entity subsidiaries that offer home- and community-based programs for highly complex member populations in the Medicare, Medicaid and dual-eligible markets, has reported a data breach affecting up to 4.2 million individuals, the largest so far in 2023. [4] According to the company’s breach notification, the company “experienced an incident involving the inaccessibility of certain computer systems on our network” on July 5, 2022. “Through our response efforts, we learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, the unauthorized user acquired some information stored on the ILS network, and other information was accessible and potentially viewed.” Information that may have been impacted included: names, addresses, dates of birth, driver’s license numbers, state identification numbers, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid identification, mental or physical treatment and condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge dates, prescription information, billing/claims information and health insurance information. Multiple lawsuits have been filed against ILS over the data breach. ◆ A cancer patient whose nude medical photos and records were posted online after a ransomware gang stole them has sued her health care provider for allowing the “preventable” and “seriously damaging” leak. [5] The proposed class-action lawsuit stems from a February hack, during which ransomware group BlackCat broke into one of the Lehigh Valley Health Network (LVHN) physicians’ networks. BlackCat stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people and then demanded a ransom payment to decrypt the files and prevent them from being posted online. BlackCat specifically warned that it would publish nude photos of patients. LVHN refused to pay the ransom, and in March BlackCat started leaking patient information, including images of at least two breast cancer patients naked from the waist up. At the time, an LVHN spokesperson issued a statement saying that “LVHN condemns this despicable behavior.” According to the lawsuit, [6] the plaintiff, identified as “Jane Doe,” had no idea that LVHN stored naked pictures of her. The plaintiff said she learned about the images from a phone call: “On March 6, 2023, LVHN’s Vice President of Compliance, Mary Ann LaRock, contacted Plaintiff telephonically and advised that nude images of her taken during radiation treatment were posted on the dark web by the hackers. Ms. LaRock offered Plaintiff an apology, and with a chuckle, two years of credit monitoring. Ms. LaRock informed Plaintiff that her Sensitive Information was stolen in the Data Breach, including likely her address, email address, date of birth, Social Security number, health insurance provider, medical diagnosis/medical treatment information, medications, and lab results, in addition to the now-public photographs of her receiving breast cancer treatment.” ◆ UC San Diego Health is notifying patients that one of its business associates, Solv Health, used analytics tools popularly known as pixels on the scheduling websites for its Urgent Care and Express Care clinics and that those tools captured and transmitted information to third-party tool providers. Solv Health hosted and managed UC San Diego Health’s scheduling websites for five locations; those who used the scheduling website between Sept. 13 and Dec. 22, 2022, to book appointments for in-person or video visits may have been affected. The tools may have captured first and last names, dates of birth, email addresses, IP addresses, third-party cookies, reason for visit and insurance type, UC San Diego Health said. The health system said it has transitioned to a new online scheduling tool for those five clinics. [7] ◆ Telehealth startup Cerebral said it shared private health information, including mental health assessments, of more than 3.1 million patients in the U.S. with advertisers and social media companies such as Facebook, Google and TikTok via pixels embedded on its website. Cerebral said in its breach notification that it has used tracking technologies since beginning operations in October 2019; it recently determined that it had disclosed protected health information to third parties and some subcontractors. The information disclosed varied but could have included names, phone numbers, email addresses, dates of birth, IP addresses, Cerebral client ID numbers and other demographic information. Individuals who completed any portion of Cerebral’s online mental health assessment may also have disclosed the service the individual selected, assessment responses and certain associated health information. Individuals who purchased a subscription plan from Cerebral may also have disclosed subscription plan type, appointment dates and other booking information, treatment and other clinical information, health insurance/pharmacy benefit information and insurance copayment amounts. [8] ◆ Oregon health system Asante is informing some of its patients that a local physician, Dr. Paul Hoffman, inappropriately accessed patient records for nine years, beginning in 2014. “Asante’s investigation indicates that Dr. Hoffman accessed records out of curiosity rather than for any fraudulent purposes,” the health system said in a statement. “Asante does not believe potentially affected patients need to take any steps in response to this incident or that this incident increases their risk of identity theft.” Asante said that Hoffman did not have access to patients’ Social Security numbers, driver’s license numbers or bank information. The health system said it has reported Hoffman to the Oregon Medical Board. [9] 1 C. Mandler, “Following a ‘significant’ breach, DC Health Link user data is being sold on the dark web,” CBS News, March 8, 2023, https://cbsn.ws/3Kpp5li . 2 Scott MacFarlane, “At least 17 members of Congress had sensitive information exposed in data breach,” CBS News, March 21, 2023, https://cbsn.ws/3lUMVfA . 3 DC Health Link, “Data Breach: Incident Response Updates,” https://bit.ly/42WeKEQ . 4 Independent Living Systems, LLC, “Supplemental Notice of Data Event,” March 14, 2023, https://bit.ly/3Ga3fA1 . 5 Jessica Lyons Hardcastle, “Cancer patient sues hospital after ransomware gang leaks her nude medical photos,” The Register, March 15, 2023, https://bit.ly/40Q6g0e . 6 Jane Doe v. Lehigh Valley Heath Network, Inc., Lackawanna County, Pa., Case No. 23CV1149, filed March 13, 2023, https://bit.ly/3lZlqBn . 7 UC San Diego Health, “UC San Diego Health Notifies Patients of Vendor Data Collection Issue,” UC San Diego Today, March 16, 2023, https://bit.ly/3lXAKhQ . 8 Cerebral, “Notice of HIPAA Privacy Breach,” accessed April 3, 2023, https://bit.ly/3nCgK4Z . 9 Derek Strom, “Asante informing patients about possible breach of privacy,” KOBI5.com, March 7, 2023, https://bit.ly/3K6rfVE .