Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.

Used primarily as ’banking Trojans” to steal credentials and financial information, these intrusive, fast-replicating Trojans spread quickly. Emotet is polymorphic, which makes it difficult for traditional antivirus solutions to detect.  It worms its way through a network, generally using phishing emails from compromised systems to spread as quickly as possible. Once it’s infected enough computers, it will “drop” (install) other malicious programs, especially TrickBot, which has all sorts of modular, built-in tools to discover system information, compromise that system and steal data.

The presence of either of these Trojans on a network is a serious threat. Both of these Trojans are closely related; where you see one, you often see the other. To help visualize how they work, think about them like a team of professional robbers:

  • Emotet is the ‘strike team’ hired to get Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys
  • Trickbot is the professional ‘safe-cracking team’ the Emotet strike team gets in the door
  • Trickbot might install ransomware to collect a ransom, or maybe just cover their tracks when they’re done. When it installs ransomware, it’s often Ryuk.

Continue Reading

AKS and Medicare Advantage Plans: Don’t Kickback and Relax!

Health care attorneys have long questioned whether there are significant Anti-Kickback Statute (AKS) risks associated with financial transactions between Medicare Advantage plans and their participating providers. An ongoing case in the Northern District of Illinois could provide Medicare Advantage organizations with a clear answer regarding the nature of such risks.

United States ex rel. Derrick v. Roche Diagnostics Corp., brought by a qui tam relator under the False Claims Act, involves Roche Diagnostics Corp. (“Roche”), a manufacturer of glucose monitoring products, and Humana, Inc. (“Humana”), an issuer of Medicare Advantage plans (collectively the “Defendants”). United States ex rel. Derrick v. Roche Diagnostics Corp., 318 F. Supp. 3d 1106 (N.D. Ill. 2018). The relator alleges that the Defendants violated the AKS when Roche agreed to settle an overpayment owed by Humana for pennies on the dollar in exchange for the exclusive placement of Roche products on Humana’s formularies. This litigation has been ongoing since 2014 and the trial is set for early 2020.

Prior to the events giving rise to this action, Roche sold glucose monitoring products via Humana’s Medicare Advantage formularies. The relator alleges the following sequence of events. First, in March 2013 Humana notified Roche that it would be terminating its supplier contract with Roche and removed Roche’s products from its formularies. After protracted settlement negotiations, Roche agreed to accept only $11 million of the $45 million overpayment. That same week, Humana placed Roche products back on the Humana formularies and, crucially, also agreed to remove from its formularies all products that competed with Roche. Additionally, Roche “reserved the right to recover the full amount owed if Humana did not satisfactorily perform its obligations” under the debt forgiveness agreement. The relator claims that this exchange of debt forgiveness (remuneration) for formulary placement (recommendation/referral) amounted to an AKS violation. Continue Reading

NLRB Gives Employers Greater Discretion to Limit Union Activity on Their Premises

The National Labor Relations Board (the “Board”) recently issued a decision in UPMC Presbyterian Shadyside that reverses longstanding Board precedent and holds that employers no longer have to allow nonemployee union representatives access to public areas of their property unless (1) the union has no other means of communicating with employees or (2) the employer discriminates against the union by allowing access to similar groups.

The UPMC case arose after the employer, a hospital, ejected two union representatives from its cafeteria, where they had been discussing organizational campaign matters with and providing union literature and pins to employees.  Previously and for many years, the Board had held that an employer could not restrict nonemployee union representatives from engaging in promotional or organizational activity in its public spaces, including cafeterias, so long as the union representatives were not “disruptive.”  In UPMC, the Board returned to a more common-sense approach and held that the National Labor Relations Act “does not require that the employer permit the use of its facility for organization when other means are readily available.” Continue Reading

Medicare Advantage Premiums Are Not Subject to Washington Tax

Appeals Court ruling supports MA organization request for refund of B&O taxes paid on premiums

On April 1, 2019, the Washington Court of Appeals Division 1 ruled unanimously in a published opinion that premiums received by Medicare Advantage (“MA”) organizations from or on behalf of their members are not subject to Washington’s business and occupation (“B&O”) tax. Grp. Health Coop. v. Dep’t of Rev., No. 79091-9-1 (Wn. Ct. App. Apr. 1, 2019).

Washington’s B&O tax is imposed broadly on gross receipts but incorporates numerous exemptions, including an exemption for “premiums or prepayments that are taxable under RCW 48.14.0201 [Washington’s premium tax].” RCW 82.04.322. MA premiums are not subject to Washington’s 2% tax, which includes an exemption for Medicare premiums. RCW 48.14.0201. The Washington State Department of Revenue (“DOR”) has imposed B&O tax on MA premiums, reasoning that their exemption from the premium tax renders them ineligible for the exemption under the B&O tax.

Group Health Cooperative and Group Health Options, Inc. (collectively, “Group Health”) applied for a refund of the B&O tax imposed on its MA premium payments, asserting that MA premiums were exempt from the state’s B&O tax, or alternatively that the B&O tax on MA premium payments was preempted by federal law. The complaint was summarily dismissed in trial court. The court of appeals agreed with DOR’s interpretation of state law holding that MA premiums are not exempt from B&O tax, but reversed the lower court on the issue of federal preemption.

A federal law enacted with the Balanced Budget Act of 1997 provides that “[n]o State may impose a premium tax or similar tax with respect to [MA premiums].” 42 U.S.C. § 1395w-24(g). The appeals court agreed with Group Health that this language preempts state law imposing B&O tax because the B&O tax shared key characteristics with, and thus is similar to, a premium tax. First, this is a case of DOR imposing the B&O tax on premiums, just like an explicit premium tax. Second, both the B&O tax and the premium tax are assessed on a gross basis. In holding that federal law preempts DOR from implementing a B&O tax on MA premiums the court stated that Group Health was entitled to a refund of the B&O taxes previously paid.

It is unclear at this time whether the DOR will try to appeal to the Washington Supreme Court, and whether that court will accept the case for review. Regardless, as a result of this decision, any MA organization that has paid B&O tax on their MA premiums in Washington should immediately seek assistance in requesting a refund from the DOR. MA organizations should not wait to see if the matter is further appealed and should act now to preserve any potential refund claim.

For help requesting a refund, or if you have additional questions about this case and its implications, please contact Chauncey MacLean at chauncey.maclean@stoel.com or (206) 386-7551, or Kara Morse at kara.morse@stoel.com or (206) 386-7657.

HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance. Continue Reading

Washington Supreme Court Announces Zero-Tolerance Approach to Sexual Harassment in Places of Public Accommodation

The Washington Law Against Discrimination (WLAD) prohibits “places of public accommodation” from discriminating against their customers on the basis of several protected characteristics, including, without limitation, sex, race, national origin, and sexual orientation. Sexual harassment is one prohibited form of such sex-based discrimination.  Generally speaking, a place of public accommodation is any business that is open to the public.

On January 31, 2019, the Washington Supreme Court announced a new sexual harassment standard for places of public accommodation. In so ruling, the Court held that, under the WLAD, employers are “directly liable for the sexual harassment of members of the public by their employees, just as they would be if their employees turned customers away because of their race, religion, or sexual orientation.” Floeting v. Group Health, Inc., No. 95205-1. Continue Reading

Effects of State Individual Mandates on Employer Group Health Plans

Late last year, Congress passed the Tax Cuts and Jobs Act, which included a provision  effectively repealing the requirement for most Americans to have health insurance.  This “individual mandate” was originally imposed by the Affordable Care Act (“ACA”). Beginning in 2019, the tax penalty individuals face if they do not enroll in health coverage considered minimum essential coverage (“MEC”) will drop to zero.

For many Americans, the individual mandate was satisfied by the health coverage provided by employers. From an employer perspective, the repeal of the individual mandate penalty might first appear to have little effect. The ACA’s employer shared responsibility provisions (also known as the “pay-or-play penalties”) remain intact, and applicable large employers (“ALEs”)  will likely continue to provide group health coverage to employees and their dependents even though the individual mandate is no longer in effect. And though the Congressional Budget Office projected that an additional 4 million individuals will go uninsured when the federal penalty disappears, most of these individuals were previously insured in the individual market, not the group market.

But the repeal of the federal penalty has spurred activity at the state level that will require employer attention. Many states are concerned that the resulting increase in uninsured individuals will further strain state safety nets, resulting in accelerated efforts to strengthen state insurance markets by imposing state-law individual mandates to reduce the rate of uninsured individuals. Continue Reading

Short-Term Health Plans Hit Roadblock in Washington State

Washington’s Insurance Commissioner Rolls Back Federal Attempt to Expand Access to Short-Term Health Plans

On October 17, 2018, the Office of the Insurance Commissioner (“OIC”) adopted a final rule that defines minimum standards for short-term limited-duration health insurance plans (“short-term plans”) in Washington State and rejects federal efforts to expand their availability. Short-term plans are exempt from many of the minimum requirements applicable to most health plans under the Affordable Care Act (“ACA”) and Washington State law. The OIC rulemaking is a direct response to recent federal changes that removed many restrictions that previously curbed access to short-term plans. See our previous post for more information on the federal rule, which went into effect October 2, 2018 and is expected to result in a dramatic increase in the use of short-term plans.

Federal rules now allow short-term plans to cover an individual for up to 364 days in a year, and make it possible for someone to have short-term plan coverage for up to 36 months by using consecutive plans, all while side-stepping consumer protection requirements such as essential health benefits and the prohibition on exclusions for preexisting conditions. The new OIC rules would basically roll back these federal changes in Washington State, making it clear that short-term plans are not a viable alternative to more traditional insurance coverage.

The final rule:

  • Limits the duration of any short-term plan to three months, including any renewal period.
  • Prohibits a carrier from issuing a short-term plan if it would result in more than three months of coverage under a short-term plan in the same 12-month period. In other words, a consumer could not cobble together multiple short-term plans to cover more than the three-month limit.
  • If preexisting conditions are excluded, limits the lookback period to up to 24 months prior to the application date.
  • Requires minimum benefit coverage, including hospital, surgical and medical expense coverage of at least one million dollars, and a copayment or coinsurance of not more than 50%.
  • Prohibits the issuance of a short-term plan during open enrollment for individual coverage on the Washington State health benefit exchange.
  • Requires that potential enrollees be given a standard disclosure form, acknowledged by their signature, describing the limits of the coverage being offered. The disclosure must include specific language advising of the short-term plan’s limited nature, including that it may not cover preexisting conditions and that it does not include benefits required by the ACA. The disclosure then provides details about the timing, duration and extent of the coverage.
  • Requires OIC approval for any short-term plan, which may be withdrawn at any time for cause.
  • Is applicable to plans with an effective date on or after January 1, 2019.

The OIC acknowledges that short-term plans should be available as a stop-gap option for consumers who seek health coverage for a short period of time until more permanent health insurance may be obtained. With these rules, however, the OIC has largely restored the limitations which existed prior to the recent federal changes. The move sends a signal to carriers and consumers that any attempt to circumvent consumer protections or to use short-term plans as a long-term alternative to the traditional individual market will hit a roadblock in Washington State.

Was the Response Responsive Enough? The Oregon Court of Appeals Weighs In On “Failure to Respond” to the Board of Dentistry

Angle v Board of Dentistry, No. A162472, decided by the Oregon Court of Appeals on October 17, 2018, is a statutory interpretation case that may inform how dentists respond to requests for information from the Oregon Board of Dentistry.

ORS 679.170(6) provides that no person shall “fail to respond” to a written request from the Board of Dentistry for information.  Does a “nonresponsive” reply count as a failure to respond?  In this case, the Oregon Court of Appeals decides that just saying something is not sufficient to comply with ORS 679.170(6).  Instead, responses must be responsive.  According to the court, telling the board to go fly a kite or writing a letter about the history of Rome will not pass muster.  However, a “curt and not overly helpful” response may work. Continue Reading

Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement is the largest in HIPAA-enforcement history, far exceeding the previous record of $5.5 million paid by Memorial Healthcare in 2017.

OCR investigated Anthem following its report that a series of cyber attacks in 2014 and 2015 resulted in theft of the electronic protected health information (ePHI) of nearly 79 million members of  its affiliated and other covered entity health plans. In addition to Anthem’s failure to implement sufficient safeguards to prevent and detect the inappropriate access to its systems, OCR also found that Anthem had:

  • Failed to conduct an enterprise-wide risk analysis
  • Insufficient procedures to regularly review records of information system activity
  • Failed to identify and respond to suspected or known security incidents
  • Failed to implement adequate minimum access controls to prevent unauthorized access to ePHI

A link to the Resolution Agreement between Anthem and OCR is available here.

It is not surprising that the largest HIPAA breach to date would result in the largest settlement to date, and this is a strong signal of this administration’s interest in leveraging its penalty authority to make an example of organizations that have large data breaches. Organizations of all sizes should take note, however.  While penalties are imposed in only a small fraction of the incidents reported to OCR, any significant data breach will result in an OCR investigation that may bring inadequacies of privacy and security safeguards to light.

If you have questions or concerns about your HIPAA compliance posture or your information security and governance plans, we are ready to help.

LexBlog