Healthcare Data Breaches: Managing and Responding to Regulatory and Litigation Risks
A flurry of data breach activity has recently struck the healthcare sector, resulting in increasing litigation and regulatory scrutiny. Healthcare companies, such as hospitals, doctors offices, health systems, and health plans, hold massive amounts of sensitive patient medical information through electronic means such as electronic health records, cloud computing and mobile apps. This has made healthcare organizations vulnerable to data breaches, and a prime target of hackers.
Regulatory Risk Environment
Healthcare data breaches are unique in that they generally fall within the purview of stringent federal and state healthcare privacy and security laws, including the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (collectively, “HIPAA”), and state breach notification requirements. Legal and regulatory violations regularly subject healthcare companies to fines, security audits and settlements agreements with the government that impose increased regulatory burdens, and even criminal penalties.
HIPAA Breach Notification Rule
Most healthcare organizations are required to comply with specific laws and regulations that impose strict requirements surrounding the protection of healthcare data, also known under HIPAA as “protected health information” or “PHI,” that is held by, accessed, or processed by “covered entities” (e.g., certain healthcare providers, health plans, and healthcare clearinghouses) and their “business associates” (e.g., subcontractors that perform services for or on behalf of a covered entity).
HIPAA contains specific breach notification obligations under its “Breach Notification Rule,” including the obligation to notify affected individuals, and often the government and/or the media, when there is a “breach” of PHI. HIPAA defines “breach” as the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.
Thus, under HIPAA’s Breach Notification Rule, even if an unauthorized acquisition or access of PHI occurs, a “breach” does not exist, and notification is not required, unless there has been a compromise of the security or privacy of the PHI at issue. However, the HIPAA regulations state that the acquisition, access, use, or disclosure of protected health information . . . is presumed to be a breach unless the covered entity can establish that no compromise occurred. To do so, covered entities must demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment.
When a covered entity determines that a breach has occurred, it must provide notice to the individuals who are subject to the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” The covered entity must also notify the Secretary of the U.S. Department of Health and Human Services (“HHS”), contemporaneously with the individual breach notice for breaches involving greater than 500 individuals, and annually for breaches involving fewer individuals. For a breach involving more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets in that state or jurisdiction.
HIPAA violations can subject healthcare organizations to hefty fines, settlement agreements, and criminal penalties. Penalties for noncompliance are based on the level of culpability of the violation, and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision, in addition to potential imprisonment based on the level of knowledge or willfulness. Moreover, HIPAA fines assessed against healthcare organizations are rising, with a recent HIPAA violation resulting in a $2.2 million settlement with HHS. This underscores the importance of careful and diligent compliance with HIPAA, including the Breach Notification Rule.
State Breach Notification Laws
To date, 47 states have enacted breach notification laws that require data owners possessing “personal information” to provide notice to individuals affected by a data security breach involving such information. The state breach notification laws generally require that a company provide notice to affected individuals where an incident results in the “unauthorized acquisition” of personal information, though some jurisdictions have a “unauthorized access” threshold for imposing a notification obligation. The definition of “personal information” varies by state, and some states, including California, specifically include healthcare information within that definition. Even if healthcare information is not specifically included as personal information, some healthcare records contain sensitive information such as social security numbers or financial account numbers, which would constitute personal information that may trigger state laws.
The definition of “breach,” triggering notification to individuals, also varies from state to state. Many states define a “breach” such that the incident must “compromise the security or confidentiality of confidential information” to be considered a breach requiring notice to individuals. Other states include language that requires notification to individuals only where the incident presents a risk of harm to individuals, including a risk of identity theft or fraud.
The respective states’ breach notification laws set forth the timing and content of breach notifications, as well as the requirements for notifying state regulators. Many of the state breach notification laws contain exemptions for encrypted data, and some states exempt HIPAA covered entities from state breach notification obligations. However, healthcare companies that are victims of data breaches may have to comply with not only HIPAA, but also some state breach laws in certain circumstances.
Litigation Risks and Direct Costs
Healthcare data breaches have increasingly led affected individuals to bring lawsuits against the organizations that were holding their data at the time of the breach. While HIPAA does not provide a private cause of action for individuals affected by a breach, several states have allowed individuals to bring claims against healthcare providers under negligence theories, alleging that such providers breached their duty of care owed to their patients in permitting a breach of their data to occur. There also is the risk of shareholder derivative lawsuits against boards of directors, alleging that the boards breached their fiduciary duties by failing to adequately protect patient data.
Because healthcare data breaches can affect thousands, millions or tens of millions of individuals, many data breach lawsuits are brought as class actions. For example, as discussed in the next section, numerous lawsuits have been brought against Anthem with respect to the data breach it experienced in 2015, many of which have been consolidated into class action lawsuits.
Healthcare data breaches also can impose direct costs on organizations, such as the costs of providing notification, call center services and identity protection services, to affected individuals. In addition, healthcare data breaches can result in public relations nightmares, damaging what is perhaps a healthcare organization’s most important intangible asset: its reputation.
While hacking was the leading cause of healthcare data breaches in 2015, according to HHS, some of the largest HIPAA data breaches reported in the first half of 2016 were caused by theft, loss, improper disposal and unauthorized email access or disclosure.
Cyber insurance can pay for certain expenses arising out of a data breach, including legal fees to respond to the incident..."
Arguably the most notorious and costly healthcare data breach of recent years is that which affected Anthem, Inc. in 2015. Anthem discovered that criminal hackers had gained unauthorized access to its servers and stole the personal information of nearly 80 million individuals. The information accessed included names, dates of birth, social security numbers, plan identification number, phone number, email address and employment information. Anthem offered free credit monitoring to the affected individuals, and, as mentioned in the preceding section, the insurer has been subject to a plethora of lawsuits, including class action lawsuits.
Another type of healthcare data breach that has recently emerged and been highlighted in the news is the ransomware attack. A typical ransomware attack involves an attacker using malicious software to restrict access to an affected computer system, demanding that the owner or user pay a ransom to the attacker to remove the restriction. For example, Hollywood Presbyterian Medical Center (HPMC) in Los Angeles was the victim of a ransomware attack in February 2016. Malicious software locked up its computer system and halted hospital operations for hours. HPMC officials reportedly paid $17,000 in bitcoins to obtain the key to unlock the malicious software and return the hospital to normal operations. Several other ransomware attacks have taken similar form, attacking healthcare organizations and demanding the payment of ransom money before an access restriction is lifted or data decrypted.
Preventing and Mitigating Data Breaches
Given the regulatory framework and substantial risks and costs associated with healthcare data breaches, healthcare organizations should take action before a data breach ever occurs, with the goals of preventing and mitigating such breaches.
Those healthcare organizations subject to HIPAA are required to implement privacy and security safeguards in accordance with HIPAA’s Security Rule. Those obligations involve conducting regular security risk assessments to detect and remediate security risks; in fact, many recent HIPAA enforcement actions have focused on the failure to conduct an adequate risk assessment.
Further, most healthcare organizations develop and implement an appropriate set of policies and procedures designed to prevent, detect and respond to data breaches and meet applicable regulatory requirements. In particular, many organizations develop an incident response plan setting forth the organization's planned actions with respect to a breach, such as appropriate internal reporting, timely external breach notification, and steps to mitigate the breach. Policies and procedures may also include workforce training on privacy and security of patient information and breach response procedures.
It is also important for healthcare organizations to consider implementing a vendor management program, designed to confirm that vendors with access to PHI and other personal data appropriately protect that data, and timely report any security incidents or breaches affecting that data. Moreover, every HIPAA-covered entity is required under HIPAA to have compliant business associate agreements in place with its business associates, setting forth the obligations of business associates to, among other things, appropriately safeguard the covered entity’s data and timely report security incidents and breaches to the covered entity so that it may in turn take appropriate action.
Finally, it is crucial for healthcare organizations, and their vendors, to have in place adequate cybersecurity insurance coverage, in order to cover third party claims and expenses, as well as direct expenses resulting from a data breach. Cyber insurance can pay for certain expenses arising out of a data breach, including legal fees to respond to the incident, notification costs, call center costs, public relation firm costs, forensic costs and identity protection services. In addition, if a lawsuit is filed or HHS or other regulators investigate a data breach, cyber insurance policies can cover legal defense costs, and the costs of judgements, settlements, and in some cases regulatory fines and penalties. Most important, however, is the fact that insurers have created and vetted experienced breach response lawyers and vendors to quickly and efficiently respond to data incidents. Access to these teams alone can help reduce risk and mitigate the fallout of a data breach.
As the number of healthcare data breaches has grown, so have the resulting risks and costs to healthcare organizations. Healthcare data breaches may cause healthcare organizations substantial regulatory, litigation and direct costs. It is therefore critical that healthcare organizations be prepared before a breach ever occurs, including by purchasing appropriate cyber insurance.
As published in the Fall 2016 issue of Litigation Management Magazine. Reproduced with permission.
About the authors. . .
Christine Flammer is Claims Counsel for XL Catlin’s Cyber & Technology business. David Navetta is a Partner with Norton Rose Fulbright. Kimberly Gold is a Senior Associate with Norton Rose Fulbright.