OIG |

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

February 3, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the personal health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health care providers, health plans, health care clearinghouses (“covered entities”) and business associates covered by HIPAA to guard their own systems containing protected health information against breach by cyber hacking.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations OCR identified specifically included:

A lack of an analysis to determine risks and vulnerabilities of electronic protected health information across the organization;
Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
Failure to implement an authentication process to safeguard its electronic protected health information; and
Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’s announcement of the settlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as a warning, “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near-miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board-level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because of susceptibilities in systems, software and other vendors of business associates, suppliers and other third parties, covered entities and their business associates should use care to assess and manage business associate and other vendor-associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment-based health plans covered by the Employee Retirement Income Security Act (“ERISA”) risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third-party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American Bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Cyber crime, data breach, data security, DME, Doctor, Employer, ERISA, Federal Sentencing Guidelines, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospice, Hospital, hospitals, Licensing, Meaningful Use, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, OCR, Peer Review, Physician Licensing, retaliation, Technology, Telemedicine, Whistleblower | Tagged: ARRA, Breach Notification, CMS, Compliance, Corporate Compliance, Data Breach, Data Security, Doctor, DOJ, EHR, Electronic Health Records, Employer, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Care Reimbursement, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Privacy, HITECH Act, Hospital, Hospitals, licensure, Medicaid, Medical Privacy, Medicare, OCR, Office of Civil Rights, OIG, PHI, Physician, Physicians, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

4 Pharmacies Pay $6.8+ Million To Settle Copayment Waiver Civil False Claims Act Claims

October 14, 2022

The $6.8 million settlement paid by four pharmacies to settle False Claims Act civil claims warns other pharmacies and other health care providers against improper copayment or other cost sharing waiver, billing and referral practices.

The Department of Justice announced October 12, 2022 that DermaTran Health Solutions, LLC (“DermaTran”); Pharmacy Insurance Administrators, LLC; Legends Pharmacy; TriadRx; and the former owners of Lake Side Pharmacy and related entities, agreed to pay $6,876,564 to resolve allegations that they violated the False Claims Act by waiving copays, charging the government higher prices than permitted, and trading federal healthcare business with other pharmacies.

The government alleged that in 2012, pharmacy DermaTran opened in Rome, Georgia, for the purpose of making and selling custom “compound” pain creams. DermaTran’s owners during the relevant time include DIII Consulting, LLC; SRM Holdings, LLC; Gussenhoven Holdings, LLC; Sam Moss; and Robert Gussenhoven. At the same time, another company named Pharmacy Insurance Administrators, LLC (“PIA”), was created to handle the billing for DermaTran. During the relevant time, PIA was a subsidiary of Insurance Administrative Solutions, LLC; which was a subsidiary of Gulfcoast Administrators, LLC; which was majority-owned by Life & Health Holdings, Inc.; which was a subsidiary of State Mutual Insurance Company.

Compound pain creams were very lucrative. Government-backed health insurance programs such as TRICARE (for the military) and the Federal Employees Health Benefits Program (for federal workers) would reimburse hundreds of dollars for these prescriptions. But the government programs imposed certain restrictions to limit spending. For example, patients were required to contribute to the cost of the prescription in the form of copays. The government programs also limited payments to the “usual and customary price”—the price charged to a cash-paying, uninsured patient.

The Government alleged that DermaTran and PIA found ways to avoid these restrictions. DermaTran and PIA created a copay-waiver program where patients would have their copays waived based on a brief, unverified statement of economic need. DermaTran and PIA also misled the government programs about the price being charged to uninsured, cash-paying patients by falsely stating that that price was high when, in fact, it was only $30. As a result, there were days that veterans were charged $600+ for pain creams, while uninsured patients were charged only $30.

Eventually, various auditors uncovered these problems and began to terminate DermaTran from their networks. The Government alleged that DermaTran, looking for a way to continue to earn money, began selling its out-of-network prescriptions to other pharmacies. The other pharmacies could fill the prescriptions because they were still in network. After filling the lucrative prescriptions, the other pharmacies remitted a portion of the proceeds to DermaTran and PIA. The government alleged that this arrangement constituted an illegal kickback. The other pharmacies that participated in this prescriptions-for-money scheme included Legends Pharmacy (in Texas), Lake Side Pharmacy (in Alabama), and TriadRx (in Alabama).

This settlement resulted from a joint investigation by the U.S. Attorney’s Office for the Northern District of Georgia, the FBI, the Defense Criminal Investigative Service, the US Office of Personnel Management – Office of the Inspector General, the U.S. Postal Service – Office of Inspector General, and the Health and Human Services – Office of Inspector General.

This civil settlement resolves a lawsuit filed in the U.S. District Court for the Northern District of Georgia by a former accountant for DermaTran, under the qui tam, or whistleblower provisions, of the False Claims Act. United States ex rel. Doe v. DermaTran Health Solutions, LLC, et al., Civil Action No. 1:17-CV-1765. Under the False Claims Act, private citizens may bring suit for false claims on behalf of the United States and share in any recovery obtained by the government.

Under the settlement, PIA will contribute $6.5 million to the settlement. DermaTran is no longer operating and was sold in an arm’s-length transaction to a third-party buyer last year for the price of $40,000. That amount will be turned over to the government as part of the settlement. MLDP of Texas, LP (a/k/a “Legends Pharmacy”) will pay $59,293. TRIAD Rx, Inc. will pay $166,547. Lake Side Pharmacy is no longer in business, but former owners of Lake Side Pharmacy will pay $110,724. The former owners include Titan Medical Marketing, LLC; Donald Wayne Bogue; George Takashi Elkins; James Bernard Bogue, Jr.; Robert Joseph Puckett, Jr.; Robert Joseph Puckett, Sr.; Stephen Weston Wilson; and Charles Franklin Taylor, Jr. The whistleblower will receive $1,434,775 from the settlements. PIA will also pay her attorney’s fees.

The settlement documents the commitment of the Justice Department, the Department of Health & Human Services (“HHS”) Office of Inspector General (“OIG”) and other federal agencies to enforce the False Claims Act to recover government payments that result from improper waiver of copays, charging the government higher prices and other improper practices in violation of the False Claims Act. The agencies made a point of including their respective warnings in their announcement of the settlement.

“Health care fraud abuse like this case erodes the trust patients have in the health care system,” said Keri Farley, Special Agent in Charge of FBI Atlanta. “The FBI will not stand by when there are allegations of companies operating corporate wide schemes to illegally line their pockets.”

“Fraud through compounding pharmacies bilked billions out of TRICARE and undermined the integrity of our healthcare system designed to care for our service members and their families,” stated Cynthia Bruce, Special Agent in Charge of the Department of Defense, Office of Inspector General, Defense Criminal Investigative Service (DCIS). “I appreciate the partnership among involved law enforcement agencies and the U.S. Attorney’s Office to bring this matter to justice.”

“The OPM OIG has no tolerance for businesses that knowingly take advantage of FEHBP, violating the rules to make a profit,” said Amy K. Parker, Special Agent in Charge, OPM OIG. “I am extremely proud of the hard work of our investigators, analysts, and other law enforcement partners because overcharging the government is not a victimless crime – it contributes to higher premium prices and harms the financial integrity of the FEHBP.”

“The U.S. Postal Service, Office of Inspector General, will continue to tirelessly investigate those who commit frauds against federal benefit programs and the U.S. Postal Service. This settlement is a clear message that the USPS OIG is dedicated to rooting out corruption and bringing to justice those responsible for these crimes, said Special Agent in Charge Matthew Modafferi of the U.S. Postal Service, Office of Inspector General Northeast Area Field Office. The USPS OIG would like to thank our law enforcement partners and the Department of Justice for their efforts in this investigation”.

“Health care providers that try to boost their profits by submitting fraudulent claims to Federal health care programs threaten the integrity of those programs and drive up prices for everyone,” said Tamala E. Miles, Special Agent in Charge with the U.S. Department of Health and Human Services Office of Inspector General. “We work tirelessly alongside our law enforcement partners to protect the integrity of Federal health care programs and to ensure the appropriate use of taxpayer dollars.”