Penalties Paid by HIPAA-Covered Entities to Resolve State Laws and HIPAA Violations

Premom App Creator Pays $200,000 for Impermissible Disclosure of Users’ Health Data

The Premom Ovulation Tracker app creator and distributor, Easy Healthcare, has decided to resolve an FTC complaint concerning violations of the Health Breach Notification Rule and FTC Act. According to the complaint, the company disclosed app users’ health information to third parties with no permission.

The Premom app enables users to monitor their monthly periods and ovulation cycles. The app enables users to upload photos of ovulation test strips, which the app examines to foresee the user’s following ovulation cycle, and the app lets users upload health information from other gadgets and programs. Hundreds of thousands of women have downloaded the app, and from 2017 to 2020, the terms of use said that the company will never ever share or sell any data regarding users’ health to third parties for advertising purposes. At that time, the FTC alleged that the Premom app sent app users’ sensitive health data to third-party advertisers without user consent.

The FTC’s Health Breach Notification Rule makes certain entities not regulated by the Health Insurance Portability and Accountability Act (HIPAA) accountable in case of breaches of consumers’ sensitive health information. The Rule demands the issuance of notifications to consumers whenever individually identifiable health data is compromised. In September 2021, the FTC released a policy statement verifying that creators of health applications are responsible for securing any accumulated health information and should avert unauthorized access.

Based on the FTC complaint, Easy Healthcare app users had been informed that their health information will not be disclosed to third parties without their knowledge or permission. Easy Healthcare falsely claimed that it only shared non-identifiable information with third parties and such information is only utilized for internal analytics. The FTC discovered that from 2018, Easy Healthcare disclosed Premom user data to Google LLC and to the advertising company AppsFlyers Inc, and from 2018 to 2020, Premom user information was sent to two Chinese mobile analytics firms – Umeng and Jiguang (also known as Aurora Mobile Ltd). Easy Healthcare did not make any effort to limit the use of users’ health information by those firms. As a result, the firms could utilize the information for a wide range of uses, which include marketing. Aside from health information, Easy Healthcare also shared the numbers distinct to every mobile device (IMEI numbers) and precise geolocation information. The data sharing was just discontinued when the Google Play Store advised Easy Healthcare that data sharing violates Play Store policies.

The FTC stated that Easy Healthcare did not apply good privacy and data security procedures, which violates the FTC Act. Because of the disclosures, Easy Healthcare needed to inform the FTC, app users, and the press. The FTC mentioned that prompt and appropriate notice wasn’t given, violating the Health Breach Notification Rule. Premom compromised the privacy of consumers. FTC is serious about enforcing the Health Breach Notification Rule to protect the health data of consumers from exploitation. Companies getting this data ought to know that the FTC does not tolerate abuses of health privacy.

In case the court approves the order, Easy Healthcare will pay a $100,000 civil monetary penalty to the Treasurer of the United States. The company will also pay $100,000 to the states of Oregon, Connecticut, and the District of Columbia as a settlement. Considering the sensitive health information that apps like Premom gather and what that could uncover with respect to a pregnancy, it is important that user data remains safe and confidential. The settlement makes Easy Healthcare follow strict privacy specifications to make sure to appropriately protect users’ data.

Easy Healthcare has additionally been directed to stop sharing personal health information with third parties for promotional purposes and should communicate with the third parties that were given user information and ask them to delete that data. Easy Healthcare has additionally consented to improve its privacy and security procedures and perform regular privacy and security reviews.

Easy Healthcare consented to resolve the issue with the FTC to avoid the time and cost of litigation, and the choice to resolve doesn’t mean acceptance of wrongdoing. The company reiterates that it does not, and will not, ever sell any data of app users’ health to third parties, nor disclose it for marketing uses. At Easy Healthcare, securing users’ information is of utmost importance, which is why the company is transparent and fully cooperated with the FTC’s audit of its privacy program.

Medical Management Company Pays $550,000 Penalty for Patch Management Failures

A medical management firm has been fined $550,000 by the New York Attorney General for not preventing a cyberattack that compromised the personal data and protected health information (PHI) of 1.2 million persons, which include 428,000 New Yorkers.

Professional Business Systems Inc, also known as PBS Medcode Corp and Practicefirst Medical Management Solutions, encountered a hacking incident in November 2020. The threat actor extracted sensitive information from its systems and then encrypted files using ransomware. To prove that data was stolen and to force Practicefirst into making the ransom payment, the threat actor uploaded the files to its dark web data leak website. The leaked information contained screenshots of the PHI of 13 patients. Practicefirst’s investigation revealed that the threat actor extracted roughly 79,000 files, which included names, birth dates, Social Security numbers, driver’s license numbers, diagnoses, medication details, and financial details.

The Office of the New York Attorney General conducted an investigation and determined that the hacker acquired preliminary access to Practicefirst’s systems by taking advantage of a critical vulnerability in its firewall. The firewall provider made available an updated version of the firewall software program in January 2019, however, Practicefirst did not use the update. Practicefirst didn’t perform penetration tests or vulnerability tests, or conduct other security checks that would highlight the vulnerability prior to its exploitation. The PHI saved on its systems was likewise not encrypted. As per the New York Attorney General, these failures broke state legislation and HIPAA.

Practicefirst decided to resolve the alleged HIPAA and state law violations. Besides paying the financial penalty, Practicefirst needs to reinforce its data security procedures and will give affected persons free credit monitoring services. The data security measures that need to be improved include the creation, implementation, and servicing of a complete data security program, encryption for health data saved on its systems, setup of a patch management system with prompt patching of vulnerabilities, frequent vulnerability scans and penetration checks, and upgrades to its data collection, storage, and disposal procedures.

If an individual is in search of medical care, their very last concern is the safety of their personal data. Every organization in charge of keeping and processing patient information must be serious with their obligation to safeguard personal data, in particular medical records. New Yorkers can be sure that if companies fall short of their duty, the state AG will help to make them responsible.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone