HIPAA highlights: 2 disturbing class actions, OCR risk analysis enforcement

Walt Whitman penned in The Poet in Nature, “Sane, random, negligent hours, wandering the negligent paths.” The two class actions filed within a week against different hospitals can hardly be described as “sane” and illustrate conduct that is more severe than “negligence.” It makes one stop and think “who does this” but then again, this conduct of backdooring into electronic systems housing personally identifiable information (PII), protected health information (PHI) or individually identifiable health information (IIHI) or taking pictures of nude patients who put their trust in providers is not new. I wrote about this topic a decade ago for the Nevada State Board of Medical Examiners.

The potential violations stem beyond potential civil Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Federal Trade Commission Act violations and into the realm of criminal liability whether through the Stored Communications Act (SCA), HIPAA or 18 USC § 1028 (Fraud and related activity in connection with identification documents, authentication features, and information).

The first class action filed in early April 2025 involves a University of Maryland Medical Center (UMMC) pharmacist’s (Matthew Bathula) alleged decade-long cyber-voyeursim and cyber stalking, which he accomplished by deploying keylogging software onto approximately 400 workstations to view private information and watch and record intimate moments of co-workers. In his role as a Clinical Pharmacy Specialist, he had direct access to pharmacy residents and other young female medical professionals.

By installing the keyloggers, he was able to allegedly access internet-based cameras to record videos of medical professionals pumping breast milk in closed treatment rooms in the Frenkil Building and also utilized the stolen credentials to access webcams and home security cameras to view in-home interactions of families and intimate situations between adults. Not only did he allegedly view the information, he also stored the personally identifiable information and stored the intimate images.

The second class action filed in mid-April 2025 involves a physical therapist from an external health provider who for two years backdoored into the University of Kansas Health System and its Epic electronic health record system to access nude pre- and post-operative photographs of plastic surgery patients without anyone’s knowledge or consent. The lawsuit alleges 13 counts, including invasion of privacy, violations of the Computer Fraud and Abuse Act and the SCA, negligence, breach of contract and other causes of action.

What should set off alarms for compliance officers, providers and attorneys alike is how the conduct went on for years undetected. An adequate risk analysis should have identified the gaps and the defendants should have corrected them within a timely manner by strengthening existing technical, administrative and physical safeguards and/or implementing measures, including detection software, audit logs, etc. in a timely manner.

This brings us to the recent resolution between HHS-OCR and Northeast Radiology, P.C. (NERAD), which represents the sixth enforcement under the agency’s Risk Analysis Initiative. NERAD agreed to pay $350,000 and enter into a two-year corrective action plan. The basic facts and covered conduct include:

(2) HHS initiated an investigation of NERAD pursuant to a breach notification report filed by NERAD in March 2020. OCR’s investigation revealed that NERAD experienced a breach in its Picture Archiving and Communication Systems (PACS) server when it discovered that unauthorized individuals accessed data from NERAD’s PACS, which is used to store radiology images. The information stored in the PACS included electronic protected health information (ePHI). HHS’s investigation indicated potential violations of the following provision (“Covered Conduct”):

(a)The requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity. See 45 C.F.R. § 164.308(a)(1)(ii)(A).

As HHS-OCR stated in its press release, “[a] HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it,” said OCR Acting Director Anthony Archeval. “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.” Indeed, the two aforementioned class actions are certainly indicative of the notion of failing to conduct an adequate and comprehensive risk analysis. In sum, these matters should serve as a warning to entities covered under HIPAA, as well as persons covered under the Federal Trade Commission Act and SCA and also as a reminder that risk can be mitigated through a thorough annual risk analysis.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.