- A
- A
- A
Statement of the Center for Disability Rights on Angels in Your Home Breach of Records
Over the weekend, the Center for Disability Rights notified the media that there was a breach of private personal records at Angels in Your Home, a local home care agency. To be clear, no records at the Center for Disability Rights, All About You Homecare or the Regional Center for Independent Living were compromised. The breach occurred at Angels in Your Home.
The former CEO of Angels in Your Home, a local home care agency, left that agency to start another home care agency, All-American. It has been reported that this individual and other former Angels staff took protected, personal information of consumers and attendants without consent. In some cases, they obtained consent from individuals to take their information through misrepresentation and coercion.
How did CDR get involved?
CDR was contacted by one of our consumers who had enrolled at Angels in Your Home. She was at risk of going into a nursing facility because her attendants had not been paid in weeks. CDR contacted the agency to follow-up, and a representative from Angels in Your Home told us that when the former CEO left Angels he took consumer files, including the file of our consumer, which is why her attendants had not been paid.
As soon as CDR became aware that private, protected information of individuals with disabilities had been compromised, we immediately contacted all of our consumers who use Angels in Your Home as their homecare agency to inform these individuals of the breach at Angels. Individuals that CDR contacted have stated that they were angry about being misled or manipulated by the former Angels staff into moving their services to All-American Homecare.
When CDR contacted representatives from Angels in Your Home, they indicated that they had contacted their lawyers, but had not yet informed their consumers that their personal information was breached.
The Center for Disability Rights fights for the rights of all people with disabilities – not just those who receive services from us. We issued a press release calling upon the state to do an immediate on-site investigation to determine the level of the breach and to notify the disabled individuals of this scheme in which their confidential personal information was misused and stolen. CDR has also contacted the United States Health and Human Services Office for Civil Rights and the NYS Attorney General’s Office to urge them to take action on this.
How does this affect people with disabilities?
Disabled people who rely on agencies in order to maintain their independence in the community put a great deal of trust in their service providers. When a trusted individual steals from, lies to, or manipulates the disabled people that they serve in order to make a profit, that trust is not just broken, it is ripped away. Furthermore, this creates and reinforces a dynamic that people providing services can personally benefit from using a disabled person’s information and undermines the trust that people with disabilities can place in their healthcare and support providers. Such individuals treat disabled people as commodities to profit from, not people.
Of course, this also opens up disabled people to more abuse and other health and safety concerns because their private information is no longer secure and could be anywhere.
What are the legal implications?
Not only is stealing from, lying to, and manipulating people with disabilities wrong, but in this case, it’s also illegal in many ways.
First, it’s a violation of the Health Information Portability and Accountability Act (HIPAA) to knowingly obtain or disclose individually identifiable health information. This means that if you have access to an individual’s health information and use it for any purpose other than the purpose you require such information to do your job, you’re violating HIPAA.
The law protects all “individually identifiable health information.” This information includes whether the individual receives any healthcare service, information about the individual’s past, present or future physical or mental health or condition, as well as many common identifiers (e.g., name, address, birth date, Social Security Number). Staff are only permitted to access and use protected health information based on the need to carry out their specific duties. That means an employee who uses consumer records for any purpose outside of their job is violating HIPAA. In fact, even sending an Avon catalog to your consumer list is a violation of HIPAA because you are using information you learned from their confidential health files for a different purpose. Taking consumer’s information to another agency is also a violation of HIPAA. It is a violation of HIPAA, even when a consumer consents, but that consent was given based on misrepresentation.
In this case, whether or not the individuals involved misrepresented their actions, they used protected health information – the names and contact information of consumers from Angels in Your Home – for purposes outside their job. We are getting reports that they are continuing to contact those consumers even though they left Angels which is a further violation of people’s confidentiality rights.
There are civil and criminal penalties for violating HIPAA, including up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
Second, giving false pretenses, misrepresenting information, or lying to an individual in order to convince them to switch providers is fraud. For example, telling individuals that an agency is going out of business in order to get them to switch to a different agency is fraud. In the case of using fraud to convince an individual to switch services paid by Medicaid, it is also Medicaid Fraud and consumer fraud. Each type of fraud comes with its own penalties, including fines and imprisonment.
Third, although agencies have a responsibility to assure HIPAA compliance, employees have a duty of loyalty and good faith to their employers while they are employed. Calling consumers to switch to your future agency while still employed at your current agency is a breach of fiduciary duty to the current employer and that is likely the legal approach that will be taken by Angels in Your Home against the employees who conspired against their agency.
Fourth, failure to inform individuals that their protected information has been breached is a violation of New York State’s Security Breach Notification law. This law requires any person or business conducting business in New York to notify any individual when their private information has become compromised.
There are, of course, many other legal implications, with both civil and criminal penalties, however, these are some of the main violations and consequences.
Why is CDR involved?
Because we are run by people with disabilities, our organizations take the duty to protect personal information of disabled people and their attendants very seriously. Misuse of such information feels personal – because it is. We have confidential health information and know how we would feel if that information were misused.
To put this in some context for other folks, imagine having a medical diagnosis that you didn’t want people to know about. You would feel violated if the Office Manager in your doctor’s office took your name and a list of other people with that diagnosis to her new job at a pharmaceutical company so they could solicit you to change your medication. Even if you got a coupon for the medication, you would feel that your privacy and rights were violated. That’s exactly how some of the impacted individuals feel.
No one should experience this, but because we have disabilities we are most at risk for this to occur. And frankly, this has been a growing trend locally that must stop.
We will keep you informed as this appalling situation continues to play out.
Bruce E. Darling, CEO
All About You Homecare
Center for Disability Rights
Regional Center for Independent Living