Category Archives: Department of Health and Human Services

Cyber Attack at Community Health Systems Affects 4.5 Million Patients-Could This be a New Trend?

Patricia's Photos 013By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar  in Health Law

On August 18, 2014, Community Health Systems, a Tennessee-based hospital chain that has 206 hospitals in 29 states, announced that its computer system was hacked. According to a number of news reports, an outside group of hackers, originating in China, used highly sophisticated malware and technology to steal 4.5 million patients’ non-medical data. The hackers were able to obtain patients’ names, Social Security numbers, addresses, birth dates, and telephone numbers.

According to the Orlando Sentinel, in Florida, St. Cloud Surgical Associates, St. Cloud Medical Group, and Urology Associates of St. Cloud were among the practices where medical data was stolen. The article did not mention how many patients in Florida were affected. Click here to read the story from the Orlando Sentinel.

How Community Health Systems will Handle Being Hacked.

According to The New York Times, Community Health Systems believes the attacks happened from April to June 2014. The company will be notifying affected patients and agencies under the Health Insurance Portability and Accountability Act (HIPAA).

The hospital system is now working with a security company to investigate the incident and help prevent future attacks. Federal law enforcement agents are also investigating the incident. Click here to read the entire article from The New York Times.

Because this breach affected more than 500 individuals, it will soon be posted on the Office for Civil Rights (OCR) Department of Health and Human Services’ (HHS) Wall of Shame. The law requires that any breach involving 500 or more individuals be publicly posted. To learn more on the Wall of Shame, click here for my previous blog.

Protect Your Practice As Best You Can From Cyber Attacks.

Cyber hacking in the medical community appears to be a crime of opportunity. Quickly there are becoming two types of companies: those that have been hacked and those that will be hacked.

While there is no way to guarantee protection from extrusion and external sources, there are steps that can be taken. For medical practices, many of these are required as part of a HIPAA risk assessment. Some areas to focus on include:

–    Background checks;
–    Comprehensive policies and procedures;
–    Vigilance when it comes to monitoring and data-leakage prevention tools; and
–    Employee education.

Medical practices are going to become bigger targets as the health care industry transitions to electronic health records. In addition, the hacking community is figuring out it is easier to hack a hospital or private practice, than it is a bank and you get the same information. To learn more on HIPAA risk assessments, click here.


How do you protect your medical practice from hackers? Do you have regular risk assessments? Why or why not? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.


Perlroth, Nicole. “Hack of Community Health Systems Affects 4.5 Million Patients.” The New York Times. (August 18, 2014). From:

Kutscher, Beth. “Chinese Hackers Hit Community Health Systems; Other Vulnerable.” Modern Healthcare. (August 18, 2014). From:

Jacobson, Susan. “St. Cloud Medical Patients’ Information Among Millions Stolen in Cyber Attack.” (August 18, 2014). From:,0,3157319.story

Rose, Rachel. “Protecting Your Medical Practices From Cyber Threats.” Physicians Practice. (July 17, 2014). From:

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

CMS in the Hot Seat for Lax Oversight of Medicaid Managed Care Organizations

LLA Headshot smBy Lenis L. Archer, J.D., M.P.H., The Health Law Firm

For years, each state has kept an eye on its own Medicaid managed care plans, while the Centers for Medicare and Medicaid Services (CMS) is required to monitor how well each individual state is doing. However, a recent Government Accountability Office (GAO) report claims CMS is sleeping on the job. The report, released on June 20, 2014, stresses the need for more federal oversight of these plans.

With the implementation of the Affordable Care Act (ACA), the Medicaid program is expected to expand significantly. Most of the new beneficiaries enrolled in managed care are covered almost entirely by federal funds. The need for federal oversight in this area is of growing importance to ensure accountability of taxpayers’ dollars.

To read the entire report from the GAO, click here.

Report Findings: MCOs Need to be Watched by the Feds.

The persistent theme of the GAO report is that CMS and the Department of Health and Human Services (HHS) have done little to control the integrity of managed care organizations (MCOs). Federal programs have delegated managed care supervision to each individual state, but fail to provide needed guidelines and resources. CMS has not updated its MCO program guidance since 2000.

The report found neither state nor federal programs are well positioned to identify improper payments made to MCOs. Further, these programs are unable to ensure that MCOs are taking appropriate actions to identify, prevent or discourage improper payments.

For example, the report looked at state program integrity (PI) units and Medicaid Fraud Control Units (MFCU) from seven states. These anti-fraud groups admitted to primarily focusing their efforts on Medicaid fee-for-service claims. Meanwhile, claims made to MCOs have flown under their radar.

GAO Recommendations.

The GAO recommends that CMS:

– Require states to conduct audits of payments to and by MCOs;

– Update its managed care guidance program integrity practices and effective handling of MCO recoveries; and

– Provide states with additional support in overseeing MCO program integrity.

The GAO also suggests that CMS increase its oversight, especially as states expand their Medicaid programs. The GAO report recommends CMS take a bigger role in holding states accountable to ensure adequate program integrity efforts in the Medicaid managed care program. If CMS does not step up to the plate, the report predicts a growing number of federal Medicaid dollars will become vulnerable to improper payments.

The Future of MCOs.

If this report is taken seriously, be assured that audits of MCOs will become more frequent and extensive. If CMS ramps up their efforts, claims could be reviewed in detail by Medicaid integrity contractors. Now is the time to verify you are in compliance and receiving proper payments; before CMS turns the magnifying glass on you or your facility .


What do you think of the GAO’s assessment of MCOs? Do you think CMS needs to step up and provide more oversight? Please leave any thoughtful comments below.

Contact Health Law Attorneys Experienced in Handling Medicaid Audits, Investigations and other Legal Proceedings.

Medicaid fraud is a serious crime and is vigorously investigated by the state MFCU, the Agency for Health Care Administration (AHCA), the Zone Program Integrity Contractors (ZPICs), the FBI, and the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS). Other state and federal agencies, including the U.S. Postal Service (USPS), and other law enforcement agencies often participate. Don’t wait until it’s too late. If you are concerned about possible violations and would like a confidential consultation, contact a qualified health attorney familiar with medical billing and audits today. Often Medicaid fraud criminal charges arise out of routine Medicaid audits, probe audits, or patient complaints.

The Health Law Firm’s attorneys routinely represent physicians, dentists, orthodontists, medical groups, clinics, pharmacies, assisted living facilities (AFLs), home health care agencies, nursing homes, group homes and other healthcare providers in Medicaid and Medicare investigations, audits and recovery actions. To contact The Health Law Firm please call (407) 331-6620 or (850) 439-1001 and visit our website at


Mullaney, Tim. “Federal Government Needs to Boost Medicaid Managed Care Oversight, GAO Says.” McKnight’s Long-Term Care & Assisted Living. (June 20, 2014). From:

Adamopoulos, Helen. “GAI Calls on CMS to Increase Medicaid Managed Care Oversight.” Becker’s Hospital Review. (June 20, 2014). From:

Bergal, Jenni. “Advocates Urge More Government Oversight of Medicaid Managed Care.” Kaiser Health News. (July 5, 2013). From:

About the Author: Lenis L. Archer is as attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.