Data Breaches, Lawsuits Inescapable, but Liability Can Be Mitigated

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthleadersmedia.com/content/TEC-319421/Data-Breaches-Lawsuits-Inescapable-but-Liability-Can-Be-Mitigated

If your organization experiences a data breach—an increasingly likely
scenario—and PHI is exposed, chances are you will be hit with a lawsuit in
short order.

There's not much you can do about that, just like it's impossible to
prevent every criminal attack. What you can do, though, is take steps to
minimize the likelihood of being found liable for damages in court, says
Reece Hirsch, Esq., a partner and regulatory attorney at Morgan Lewis in
San Francisco, and a BOH editorial advisory board member.

Hirsch says companies should have two things in place as part of standard
policy and procedure: an evolving breach response plan and an incident
response team that meets on a regular basis. While class-action suits
haven't gained much traction with judges yet—except in cases of clear
financial damage to consumers—most of the claims boil down to some form of
alleged negligence, he says.

"Given the increasingly sophisticated cyberthreats that companies face …
you cannot have perfect security and you cannot completely insulate
yourself from these types of events, but what you can do is show you acted
reasonably and took reasonable measures to prevent a breach and not make
yourself a target," Hirsch says.

Organizations demonstrate this with a good breach response plan to show
they've identified the problem, mitigated damage, notified victims, and
taken further action as necessary, he says. The team should represent each
department that might be affected by a breach or that has to be mobilized
to interact with the public, including legal, human resources, privacy,
security, IT, communications, and investor relations. Part of the team's
role is to analyze risks to data, data flow, and worst-case scenarios.

"Everything needs to be encrypted, data at rest as well as data in transit,
which is something HIPAA specifically points out," says Jan McDavid, Esq.,
the compliance officer and general legal counsel at HealthPort, an
Atlanta-based healthcare services firm. McDavid, who is a regular speaker
on this subject, agrees that it's essential to have proper security
policies as well as dedicated staff to regularly review systems and respond
to incidents.

Comprehensive risk analyses, which HIPAA requires, should not just be done
after a breach to assess the extent of damages after private data is "let
out the door," she says, but up front as well to identify the risks.
Inevitably, though, healthcare organizations with large electronic
databases will likely experience a data breach.

"Once [companies] are put on notice that something has happened, they need
to immediately stop the bleeding," McDavid says. Even though public breach
notification may not be required on day one, the company should immediately
shut off or fix whatever happened so it can't occur again, she says.

One of the issues she sees often is that as healthcare organizations
struggle to keep pace with technology, security is affected too. In the
rush to automation and interoperability with limited funds available, parts
of older systems and databases may get upgraded and replaced, but in the
process, new vulnerabilities may be created, McDavid says. It seems
organizations don't always realize how their systems interact, leading them
to overlook peripheral connections that may allow access to protected
systems, she adds.

Federal legislation that called for providers to implement EHRs didn't
contain the funding to help facilities make the switch—those incentives
came later. Many of the hospitals McDavid works with have a hodgepodge of
computer systems that were installed piecemeal as the hospitals received
technology funding, and that may inadvertently lead to vulnerabilities.

Taking proactive measures to have strong security policies, plans, and
personnel in place goes a long way toward mitigating company liability in a
class-action suit, Hirsch and McDavid say.

Lawsuits may be unavoidable

"If people are going to sue you, they're going to sue you," Hirsch says.
"But [proactive preparation] will position the company much better to
defend the lawsuit." And even more importantly, he adds, it may deflect
some of the greatest damage to a company's reputation and image, which
occurs in the "court of public opinion" and in news media reports.

McDavid agrees. "Their name becomes mud when the news is out that they've
had a major breach," she says, although she believes the public has become
oversaturated with the plethora of recent breaches in the news to the point
that such incidents are no longer viewed as alarming or unusual.

Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland,
Oregon, and a BOH editorial advisory board member, says the breach
announced by Anthem, Inc., in February 2015 actually offers a good example
of how to take the right approach to a data breach. Apgar doesn't believe
the health insurer took a big hit to its reputation because it acted
relatively quickly to put security experts on the case and notify consumers
and law enforcement authorities about the breach as required by HIPAA
security regulations. In addition, he says, Anthem had relatively good
security protections; however, those protections could only slow down a
sufficiently skilled hacker, not stop the breach from occurring.

By comparison, Apgar says the class-action suits against Community Health
Systems, Inc., are for actual negligence in responding to a known security
vulnerability. The Franklin, Tennessee-based company announced hackers
accessed data of 4.5 million individuals who were referred to or received
care from physicians affiliated with its system over the last five years,
according to an August 18, 2015, filing with the U.S. Securities and
Exchange Commission.

Anthem disclosed on February 4 that it uncovered a massive breach affecting
80 million people that had occurred two months earlier. Less than 12 hours
later, an Indianapolis attorney was already filing a class-action suit
against the health insurer for failure to secure customers' data,
negligence, breach of contract, and failure to notify victims in a timely
manner.

In the days and weeks that followed, the class-action suits started to pile
up across the country—dozens of complaints argued Anthem was lax in
securing members' personal data, which wasn't encrypted. Plaintiffs argued
Anthem only implemented reasonable security measures after it discovered
the breach January 29—more than a month after the incident occurred.

Even if it were eventually proven in court that Anthem didn't follow
industry best practices to secure data or that the breach was due to
negligence, the bigger question is whether the plaintiffs can demonstrate
harm as a result, Apgar says.

Building up case law

Currently, legal precedent favors the defendants, but that's an evolving
process too.

McDavid explains there is no established federal law that stipulates
companies are liable for damages just because they experienced a data
breach that exposed clients' or patients' personal information.

That's where class-action attorneys enter the picture, she says. They're
trying to make case law by obtaining favorable court opinions to set a
legal precedent, but it's an uphill battle, she says. Under many federal
and state laws, victims have to prove they were harmed in order to win
damages.

"In the majority of cases now, the courts are ruling that you cannot
certify a class unless you can prove the class has damages," McDavid says.
"What that means is that even if you've breached 2 million records, if you
don't have any notice that any of that [data] has been misused, then in
most courts right now you have no damages."

In April, a federal judge dismissed a class-action suit against Horizon
Blue Cross Blue Shield of New Jersey, ruling the plaintiffs didn't
demonstrate they suffered financial harm. Two company laptop computers were
stolen in 2013 from the health insurer's Newark headquarters, and nearly
840,000 customers' personal information was potentially exposed.

McDavid also points to a May Pennsylvania case where a county judge
dismissed a suit from 62,000 employees of the University of Pittsburgh
Medical Center following a criminal breach of the hospital's payroll
database. Several hundred employees were victims of tax fraud, but the
judge ruled the plaintiffs didn't prove that they were all financially
harmed, that the medical center was negligent in its actions, or that there
was any contract holding the university liable for security breaches.

What usually happens, Hirsch explains, is that the parties reach a
settlement outside of court, and that's where many of the large payouts to
affected consumers or patients happen.

Finding other ways in

It's becoming increasingly common, however, for class-action attorneys to
file suit for violations of state privacy and security laws or various
other federal statutes, which may contain stronger protections than HIPAA,
McDavid says. Arguments under those laws have been more successful at
convincing courts that the victims still have legal standing to sue even if
they haven't experienced actual harm.

Apgar notes that 2010 contained an early example of this, when the
Connecticut Attorney General's office sued Health Net of Connecticut in
federal court for violations of HIPAA and state privacy protections
regarding personal data. The attorney general's office alleged the health
insurer failed to secure PHI and financial information prior to a 2009 data
breach in which a computer disk drive was lost that contained unencrypted
records on more than 500,000 Connecticut residents and 1.5 million
consumers nationwide. Health Net also allegedly delayed notifying plan
members and law enforcement authorities until several months after it
discovered the breach.

Ultimately, the company agreed to a settlement that included the following:

- Extended credit monitoring for affected plan members
- Increased identity theft insurance and reimbursement for security freezes
- An internal corrective action plan for stronger security measures
- A $250,000 state fine
- A $500,000 contingent payment to the state if it was established that
affected individuals later became victims of identity theft or fraud

This was the first legal action taken by an attorney general since the
HITECH Act in 2009 authorized state attorney generals to enforce violations
of HIPAA.

Federal laws, such as the Fair Credit Reporting Act (FCRA), are also
becoming an avenue for class-action attorneys. Hirsch says although it's
not related to healthcare, one case winding its way through the U.S.
Supreme Court—Spokeo, Inc. v. Robins—could change the legal landscape if
the nation's highest court issues an opinion against the online company.

In February 2014, federal appellate judges for the 9th Circuit reversed a
district court ruling that had originally dismissed plaintiff Thomas
Robins' class-action suit alleging willful violations of the FCRA. He
claimed Spokeo, an online information gathering service, published and
marketed inaccurate personal information about him on its website, which he
had no control over. While not claiming actual financial damages, he argued
that since he was unsuccessful in securing employment, he was concerned the
inaccurate report was affecting his ability to obtain employment,
insurance, credit, etc.

The appellate panel found Robins did have constitutional standing to sue
under the FCRA. This speaks to the same issues that are raised by victims
of healthcare data breaches, who worry they will suffer financial harm from
the exposure of their PHI, Hirsch says. Large technology companies urged
the Supreme Court to take up an appeal of the 2014 decision, fearing it
could cripple the industry by paving the way for billions of dollars in
damages to consumers, he says.

In addition, there's another federal healthcare data breach suit—Smith, et
al. v. Triad of Alabama—making a case for violations under the FCRA that
will have big implications if the court finds the plaintiffs have legal
standing for a class-action suit, McDavid says.

"They can keep it in court if the judge buys into their theory that they
don't have to have damages in order to sue," she says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!