‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

U.S. Supreme Court Issues False Claims Act Ruling of Interest to Health Care Providers

The United States Supreme Court recently issued a ruling in a False Claims Act case with mixed implications for the health care industry. Kellogg Brown & Root Services, Inc. v. United States ex rel. Carter, No. 12-1497, decided May 26, 2015. In this qui tam lawsuit brought under the False Claims Act, a former employee of a defense contractor during the Iraqi conflict alleged that defense contractors and related entities had fraudulently billed the government for water purification services that were not performed or not performed properly. Although this was not a health care case, the Court’s ruling will impact False Claims Act matters involving health care providers.

The case involves two restrictions on qui tam lawsuits under the False Claims Act. The first restriction is the “first-to-file” bar which prohibits a qui tam lawsuit “based on the facts underlying [a] pending action.” 31 U.S.C. § 3730(b). The second restriction involves the statute of limitations: the False Claims Act requires that a qui tam action must be brought within six years of the violation or within three years of the date the United States should have known about the violation, but cannot be brought more than ten years after the date of a violation. 31 U.S.C. § 3731(b). The Court had to decide whether the Wartime Suspension of Limitations Act, which suspends the statute of limitations involving fraud whenever Congress authorizes the use of the armed forces as described in section 5(b) of the War Powers Resolution, is limited to criminal actions or whether it extends to civil claims.

In a unanimous decision, the Court issued a ruling that has both good and bad consequences for health care providers. The Court declined to extend the qui tam statute of limitations under the Wartime Suspension of Limitations Act to civil claims. After analyzing the statutory language, the Court concluded that the Wartime Suspension of Limitations Act applies only to criminal charges. Thus, the Wartime Suspension of Limitations Act did not suspend the time for filing civil claims under the False Claims Act.

Adopting the ordinary meaning of “pending,” the Court also decided that the False Claims Act’s first-to-file bar does not keep new claims out of court once the related suit is dismissed because a qui tam suit ceases to be “pending” once it is dismissed. The first-to-file bar does not forever prevent a subsequent lawsuit from being filed. Thus, an earlier suit bars a later suit only while the earlier suit remains undecided. However, the Court noted that the issue of claim preclusion, which may protect defendants if the first-filed action is decided on the merits, was not before it. Thus, a subsequent lawsuit may nonetheless be barred if it was decided on the merits under the doctrine of claim preclusion, which generally speaking, bars relitigation of a claim that was already decided on the merits.

Developing a New Way to Detect Pressure Ulcers

Hospitals and nursing homes frequently encounter patients and residents with or at risk of developing pressure ulcers.  Although hospitals and nursing homes make great efforts to prevent pressure ulcers from developing or worsening, there is no method to detect early tissue damage before it is visible. However, interesting new research may develop in to a promising way to confront the challenges of pressure ulcer prevention.

Researchers at the University of California—Berkeley and the University of California—San Francisco have developed an automated sensing device to detect pressure ulcers before they are visible. This early warning device could assist treatment of high risk patients. The automatic sensing device—dubbed a “Smart Bandage”—uses electrical currents to detect early tissue damage from pressure ulcers before they are visible and when early intervention is possible. The Smart Bandage has electrodes that are printed on to a piece of plastic that measure the strength of the electrical signals on the skin. Detecting the change in electrical resistance that occurs when a pressure ulcer has started to form but is not yet visible will allow early detection and treatment of pressure ulcers. According to an article recently published in the journal Nature Communications, the device was tested on a rat model and demonstrated the feasibility of a Smart Bandage for early detection of pressure ulcers.

The Smart Bandage is an interesting development for health care facilities that treat patients or residents who are at risk for pressure ulcers. Pressure ulcers are particularly challenging for nursing homes and are the focus of the Centers for Medicare and Medicaid Services’ (CMS) quality measures rating system for nursing homes. Pressure ulcers are also often a focus of patient or resident litigation against a health care facility. The Smart Bandage could greatly assist health care providers in the challenge of preventing and treating pressure ulcers.

D.C. Circuit Upholds Privilege for Internal Compliance Investigations

A recent decision reaffirming that the attorney-client privilege applies to internal compliance investigations should be of interest to health care providers. In In re: Kellogg Brown & Root, Inc., No. 14-5055 (June 27, 2014), the U.S. Court of Appeals for the District of Columbia vacated a trial court order requiring a company to produce its internal investigation documents, which the company claimed were protected by the attorney-client privilege. This decision provides a timely reminder that health care clients should revisit their corporate compliance program requirements and policies to protect compliance activities covered by the attorney-client privilege.

In rejecting the lower court’s ruling that the company’s compliance investigation was not protected by the attorney-client privilege, the court’s discussion of the attorney-client privilege is of interest to any company that conducts internal investigations.

    1. An attorney’s status as in-house counsel does not dilute the attorney-client privilege. The appeals court rejected the lower court’s reasoning that outside counsel must be involved in an internal investigation before the attorney-client privilege applies. Thus, the appeals court concluded that the attorney-client privilege can apply when an internal investigation is conducted by in-house attorneys without consulting outside counsel.
    2. Investigations conducted by non-attorneys at the direction of attorneys can be protected by the attorney-client privilege. The appeals court noted that the investigation in this case was conducted at the direction of attorneys in the corporation’s legal department and that communications made by and to non-attorneys serving as agents of attorneys in internal investigations are routinely protected by the attorney-client privilege.
    3. A company is not required to use “magic words” to protect the investigation under the attorney-client privilege. The lower court ruled that the privilege did not protect the internal investigation because the employees were not informed that the purpose of the interview was to assist the company in obtaining legal advice. The appeals court rejected this reasoning, clarifying that a company is not required to use specific words to gain the benefit of the privilege. The appeals court also noted that in this case the employees knew the company’s legal department was conducting a sensitive investigation; that the information employees disclosed would be protected; and that the employees were told not to discuss their interviews without the general counsel’s advance, direct authorization.
    4. An internal investigation made in compliance with federal regulations does not mean that the investigation was for a business purpose rather than to obtain or provide legal advice.  The appeals court emphasized that the attorney-client privilege applies if obtaining or providing legal advice was one of the significant purposes of the internal investigation, even if there were other purposes for the investigation, the investigation was mandated by regulation, and the investigation did not occur at the company’s discretion.  Thus, as long as one of the significant purposes of the internal investigation was to obtain or provide legal advice, the attorney-client privilege applies even if the internal investigation was conducted pursuant to a company compliance program required by statute or regulation, or was conducted pursuant to company policy.

This decision is an important development for health care providers that have compliance programs and conduct internal investigations.  However, health care providers should review their internal investigation processes to ensure that any internal investigation will be protected by the attorney-client privilege.  Among the issues that health care providers should address include the following.

    • Review policies and procedures to make sure that they explain the process for conducting internal investigations that are covered by the attorney-client privilege, including a statement that these investigations are for the purpose of obtaining or providing legal advice.
    • Contact counsel, whether in-house or external, promptly when it becomes necessary to conduct an internal investigation.
    • Attorneys should direct the investigation.
    • Document that an attorney is involved in the investigation for the purpose of obtaining or providing legal advice.
    • While there are no “magic words” required to protect an investigation under the attorney-client privilege, all employees who are interviewed should be informed that the company is conducting an investigation to gather facts for the purpose of providing or obtaining legal advice, that the information discussed in the investigation should remain confidential, that the attorney represents the company, and that the conversation is protected by the attorney-client privilege.
    • Counsel should be included in communications, including e-mails and phone calls.
    • Documents should be marked to indicate that they are privileged attorney-client communications.

OIG Issues Priority Recommendations Highlighting Focus Areas

The U.S. Department of Health and Human Services’ Office of Inspector General (OIG) recently released the OIG Compendium of Priority Recommendations.  The OIG derives its 25 priority recommendations from more specific recommendations that the OIG has made in audit and evaluation reports but has not yet implemented.  The recommendations cover 25 broad areas and provide insight into the OIG’s focus areas.  According to the OIG, the “recommendations represent opportunities to achieve cost-savings, improve program management, and ensure quality of care and safety of beneficiaries. …”  Health care providers should review the OIG recommendations to assist in focusing compliance efforts.

The OIG’s recommendations fall into seven broad categories:HC BLOG_hospice

1.         Medicare Policies and Payments;

2.         Medicare Quality of Care and Safety Issues;

3.         Medicaid Program Policies and Payments;

4.         Medicaid Quality of Care and Safety Issues;

5.         Oversight of Food Safety;

6.         HHS Grants and Contracts; and

7.         HHS Financial Stewardship.

Below is a summary of selected recommendations that affect senior providers, hospice, and home health.

Hospice care in nursing homes – The OIG expresses concern that Medicare’s hospice payment methodology may lead some hospices to inappropriately seek out beneficiaries in nursing homes.  As the OIG notes, Medicare pays hospices an all-inclusive daily rate regardless of the number of services furnished.  The OIG identified hundreds of hospices that had more than two-thirds of their beneficiaries residing in nursing facilities in 2009.

The OIG recommends monitoring hospices that depend heavily on nursing facility residents.  In addition, the OIG recommends modification of the payment system for hospice care in nursing facilities, including statutory authority if necessary.

Home health services: billing practices – The OIG expressed concern about home health agencies’ billing practices, noting that one review found one in four home health agencies exceeded a threshold that indicated unusually high billing for at least one of six measures of questionable billing.

As a result of this finding, the OIG’s recommendations include increasing monitoring of billing of home health services and taking action regarding inappropriate payments and questionable billing.

Skilled nursing facilities: billing practices – According to the OIG, skilled nursing facilities have a number of billing problems.  The OIG states that these problems include submitting inaccurate, medically unnecessary, and fraudulent claims, concluding that in 2009 skilled nursing facilities billed one-quarter of their claims in error.

The OIG has several recommendations to remedy skilled nursing facilities’ billing problems, such as increasing and expanding review of claims, monitoring compliance with new therapy assessments, and strengthening monitoring of skilled nursing facilities that disproportionately bill for higher paying resource utilization groups.

Nursing homes: patient harm, questionable resident hospitalizations, and inappropriate drug use – The OIG found a number of problems with nursing homes.  According to the OIG’s findings, about 33 percent of Medicare beneficiaries experienced adverse or temporary harm events during their stay.  Fifty-nine percent of these events were clearly or likely preventable, and the OIG found that these events resulted from substandard treatment, inadequate resident monitoring, and failure or delay of necessary care.  The OIG also found that nursing homes had questionable hospitalizations and safeguards against unnecessary antipsychotic drug use.

The OIG made several specific recommendations to combat the nursing home problems that it identified.  The recommendations include instructing nursing home surveyors to review facility practices for identifying and reducing adverse events, instructing surveyors to review nursing home hospitalization rates, and having the Centers for Medicare and Medicaid Services assess whether survey and certification processes offer adequate safeguards against unnecessary antipsychotic drug use in nursing homes.

Other recommendations – Health care providers should review the OIG’s entire list of priority recommendations to determine which recommendations apply to them.  The recommendations provide a useful starting point for targeted compliance activities.