HIPAA, HITECH & HIT :: Fox Rothschild LLP

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the “SEC”) includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

• Print
• Comments
• Trackbacks
• Share Link

In a recent posting on this blog series, my partner William Maruca mentioned the multiple reported “snooping” intrusions from 2005 to 2009 by employees at UCLA Health System (“UCLA”) into medical records of celebrities “without a permissible reason.” Such snooping would constitute violations of the requirements under HIPAA/HITECH statutes and regulations.  Ultimately, UCLA entered into a settlement agreement (the “Settlement Agreement”) with federal health regulators with respect to such incursions, which among other things, socked UCLA with a fine of $865,000. 

Shortly after the Settlement Agreement was reported in July 2011, a new and different security breach was posted for UCLA (the “2011 Breach”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”).  (Presumably the snooping intrusions were not on the HHS List because they affected fewer than 500 individuals.) The 2011 Breach was reported on the HHS List as a theft of an “Other Portable Electronic Device” on September 7, 2011, that affected the protected health information (“PHI”) of 2,761 individuals.  UCLA has developed a mixed record of disclosure with respect to this most recent security breach.

UCLA is to be commended for having posted and maintained on its Web site (the “UCLA Web Site”) information on the 2011 Breach, as it has done with respect to the Settlement Agreement. This can be contrasted to a number of other covered entities previously identified in this blog series, such as Eisenhower Medical Center, that have not seen fit to post such security breaches on their Web sites. As a matter of fact, the posting on the UCLA Web Site about the 2011 Breach goes beyond the usual minimum level of disclosure to have a user-friendly, plain-language series of questions and answers to assist the site visitor. 

The UCLA Web Site reported 

The documents containing information did not include Social Security numbers or any financial information. They did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information. . . . UCLA has engaged Kroll, a global leader in data security, to provide assistance to individuals affected by this incident.

Even though UCLA has retained a consultant to provide advice to potential victims of the 2011 Breach, to this point no credit monitoring has been offered, while other covered entities have done so in similar circumstances because some of the information that was included in theft could heighten identity theft risks.

There is also a perplexing discrepancy between the 2,761 individuals reported on the HHS List as having been affected in the 2011 Breach, as compared to 16,288 individual reported on the UCLA Web Site. The HHS Web site provides the following instructions regarding amendments to the number of affected individuals in a large PHI security breach:

If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.

While there can only be speculation as to the source of the discrepancy, best disclosure practices would appear to dictate that UCLA provide information to HHS to permit the HHS List to be corrected from the current number to the materially higher number of 16,288 individuals. If UCLA has reported the higher figure to HHS, which did not correct it on the HHS List, then there is a flaw in the HHS List posting process that does not update amended information received from covered entities.

More recently, an additional factor has surfaced to detract from the quality of UCLA disclosures respecting the 2011 Breach. Derek Hawkins of Law360 discusses the filing by a UCLA patient of a putative class action against UCLA in December 2011 relating to the 2011 Breach. The Hawkins posting criticizes UCLA for not commenting at all on the lawsuit.

Thus UCLA has been inconsistent in its post-2011 Breach disclosures. Prompt, decisive and compliant action by covered entities affected by PHI security breaches, including transparency and accurate and consistent disclosure, is necessary to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Print
• Comments
• Trackbacks
• Share Link

Five members of Congress (two Republicans and three Democrats) representing districts from far-flung states (Colorado, Florida, Massachusetts, New Jersey and Texas) are co-signers of a bipartisan letter dated December 2, 2011 (the “December 2 Letter”), addressed to the Director of the TRICARE Management Authority. The December 2 Letter was written to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information” by TRICARE contractor Science Applications International Corporation (SAIC).” 

Michael Kline and I have previously blogged about the SAIC PHI breach in four previous postings on this blog series, the most recent posting of which was on November 9, 2011, shortly after TRICARE did an about-face and announced that it was directing SAIC to offer the 4.9 million affected individuals credit monitoring services and assistance.

The December 2 Letter requests “timely and thorough responses” by no later than February 2, 2012 to seventeen startlingly direct and often blame-loaded questions. The questions make it very clear that the authors believe SAIC (and/or TRICARE) should have done more to prevent the SAIC breach and should be doing more to protect affected individuals. Question 9 notes that SAIC offered to provide “victims” (note the word choice) credit monitoring services for a year, but goes on to point out that “such services are useless in protecting against medical identity theft and fraudulent health insurance claims.” It then asks whether victims will also be provided with “newly available medical identity theft monitoring,” and, if not, to explain why such monitoring would not be provided.

The December 2 Letter closes with a brief and scathing chronology of recent SAIC misconduct, after noting that “SAIC has received more than $20 billion in federal contracts over the previous three fiscal years,” and asks: “Why does [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems?”

The members of Congress who authored the December 2 Letter hail from both sides of the aisle and from various parts of the country, but a common link seems to be a strong interest in information privacy and security. For example, Edward Markey (D-Mass) and Joe Barton (R-Texas) co-chair the Bi-Partisan Privacy Caucus and recently focused on Facebook privacy issues.    Cliff Stearns (R-Florida) introduced an online privacy bill last spring. Diana DeGette (D-Colorado) has commented publicly on the importance of online privacy. 

While Rob Andrews (D-New Jersey) has no apparent recent history with respect to information privacy and security, he was the sponsor in 2003 of a bill, which was not ultimately enacted, designed to afford students and parents with private civil remedies for the violation of their privacy rights under the General Education Provisions Act. Moreover, in his continuing role as a member of the House Committee on Armed Services and its Subcommittee on Oversight and Investigation, he has a deep interest and abiding concern regarding large scale threats to the privacy and security of protected health information of millions of service individuals and their families.

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 4 shall have the meanings assigned to them in Part 3 or earlier Parts.]

As reported in Part 3 of this blog series, Tricare and SAIC did not initially offer credit monitoring services to patients affected by the 2011 Breach made public on September 29, 2011, due to what was then judged to be the low “risk of harm” to those affected.  The Public Statement specifically answered the question “Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft?” as follows:

No.  The risk of harm to patients is judged to be low despite the data elements involved. Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identify theft, but all are encouraged to monitor their credit and place a free fraud alert of their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.  

Now, less than 6 weeks later, Tricare has directed SAIC to provide one year of credit monitoring and restoration services to patients “who express concern about their credit” as a result of the 2011 Breach.  In a press release issued by the DoD on November 4, 2011, entitled "Proactive Response to Recent Data Breach Announced" (the “DoD Press Release”), Tricare Management Activity's deputy director explains,

These additional proactive security measures exceed the industry standard to protect against the risk of identity theft.  We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.  

It is unclear that the new security measure exceeds the “industry standard,” as evidenced by numerous past postings respecting PHI security breaches in this blog series. In some cases as long as two years of credit monitoring was offered to affected individuals. However, given the assurances in the Public Statement to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare’s abrupt about-face relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk. 

Then again, Tricare's new position could have less to do with new concerns related to patient identity theft risk, and more to do with a “proactive response” or even a preemptive strike by Tricare and DoD to combat certain of the allegations in the putative class action lawsuit filed against them  in the U.S. District Court for the District of Columbia on October 11, 2011 (Gaffney v. Tricare Management Activity, et. al., Case No. 1:2011cv01800) (the “Class Action Complaint”).  Each of Virginia Gaffney and Adrienne Taylor, two of the plaintiffs named in the Class Action Complaint, has alleged that she had “incurred an economic loss as a result of having to purchase a credit monitoring service to alert her to potential misappropriation of her identity.” 

By offering the credit monitoring services to all of the 4.9 million affected individuals, Tricare and DoD may be endeavoring to render moot or at least mitigate the risk from those allegations in the Class Action Complaint. [Note: The recent posting of the 2011 Breach in the HHS List, which did not provide any information beyond that reflected in the Public Statement, earlier reported “5,117,799” as the approximate number of individuals affected, but the current number reported is “4,901,432.”]

The Class Action Complaint seeks judgment against Tricare and DoD for damages in an amount of $1,000 for each affected individual.  Perhaps Tricare and DoD did the quick math and realized that the cost of credit monitoring and restoration for a subset (those “expressing concern”) of the roughly 4.9 million affected patients would be far less than the almost $5 billion aggregate damages award sought in the Class Action Complaint.  Tricare may have reversed its stance as a result of this “risk of harm” analysis, and not because of new information or a revised evaluation related to a heightened risk of harm to affected individuals.

• Print
• Comments
• Trackbacks
• Share Link

By Michael Kline and Elizabeth Litten

[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]

The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.

Since the release by SAIC of the Public Statement, Law 360 has reported that

(i)   According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;

(ii)  A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and

(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach. 

Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.

On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:

So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.

Embedded later in the Post article is the following: 

The [2007] disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information.  (A portion of such personal information would have been deemed PHI had it been part of health-related material.)

The SPAMfighter report also discloses the following:

Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC's malware detection system. That breach had exposed mainly business account information.

As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach. 

Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 2 shall have the meanings assigned to them in Part 1.]

In an October 3, 2011 Securities and Exchange Commission (“SEC”) filing posted on its Web site, SAIC described itself as

a FORTUNE 500^® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The company’s approximately 41,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. Headquartered in McLean, Va., SAIC had annual revenues of approximately $11 billion for its fiscal year ended January 31, 2011.

The SAIC PHI breach, which potentially affected nearly 5 million individuals, was reported despite the fact that the PHI was contained on backup tapes used by the military health system, and despite, as explained in the Public Statement: 

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure…  [Q and A] Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

The Public Statement goes on to say the following in another answer:

After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance. [Emphasis supplied.]

The lynchpin of SAIC’s final decision to notify all of the potentially affected individuals appeared to be the DoD guidance. In SAIC’s position as an $11 billion contractor that is heavily dependent on DoD and other U.S. government contracts as described above, it would appear that SAIC may not have had many practical alternatives but to notify beneficiaries.

SAIC conducted “careful deliberation” before reaching its result and indicated that the risk of breach was “low.” Had the DoD guidance not been a factor and had SAIC concluded that the case was one where an unlocked file or unencrypted data was discovered to exist, but it appeared that no one had opened such file or viewed such data, would SAIC’s conclusion have been the same? Would SAIC have come to the same conclusion as Nemours and decided to report? 

What is clear is that the breach notice determination should involve a careful risk and impact analysis, as SAIC asserts that it performed. Even the most deafening sound created by a tree crashing in the forest is unlikely to affect the ears of the airplane passengers flying overhead. Piping that sound into the airplane, though, is very likely to disgruntle (or even unduly panic) the passengers. 

[To be continued in Part 3]

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

A recent public statement (the “Public Statement”) was published regarding a breach (the “2011 Breach”) of protected health information (“PHI”) of nearly 5 million military clinic and hospital patients that involved Science Applications International Corporation (SAI-NYSE) (“SAIC”). The 2011 Breach occurred in SAIC’s apparent role as a business associate and/or subcontractor for Tricare Management Activity, a component of Tricare, the military health plan (collectively, “Tricare”) for active duty service members of the U.S. Department of Defense (“DoD”). 

According to the Public Statement the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the Public Statement says that there is no financial data, such as credit card or bank account information, on the backup tapes.

The 2011 Breach is the largest single PHI security breach reported to date. The 2011 Breach highlights the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (“HHS”), other regulators and potentially affected individuals of a PHI breach.

The published “interim final rule” governing “Breach Notification for Unsecured Protected Health Information” (the “Breach Notification Rule”)  defines “breach” as “the acquisition, access, use or disclosure of protected health information [“PHI”] in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”  The Breach Notification Rule also defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

These definitions, reviewed in the context of several recent PHI breaches (including those “marchers in the parade” previously discussed on this blog), raise an important issue: at what point does “access” matter?   When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

In this regard, an event reported on the Nemours Web site on October 7, 2011 (the “Nemours Report”), about a PHI security breach involving approximately 1.9 million individuals at a Nemours facility in Wilmington, DE is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project. 

Significantly, the Nemours Report stated the following:

There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.

The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identify theft protection, and call center support to affected individuals. 

If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify, or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.  

[To be continued in Part 2]

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under HIPAA/HITECH and state statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches. 

An earlier posting on November 2, 2010 in this blog series (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

As reported by Ben Keller on DataGuidance.com from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011, that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General "without unreasonable delay" of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:

By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.

This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. 

In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:

(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);

(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and

(iii) a third one that proceeded solely under state law (Indiana).

The 2010 Posting raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The press release issued by his office on July 5, 2011, about the WellPoint settlement sheds some light on the matter:

In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General's Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General's Identity Theft Unit.

It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.

As stated earlier, it can be expected that other attorneys general around the country will follow suit in investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate significant revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general. 

Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of breaches of Protected Health Information (“PHI”) have brought to light an increasing volume of breaches of PHI involving highly respected and sophisticated providers and insurers. On November 21, 2010, a posting on this blog discussed a PHI security breach (the “September 2010 Breach”) involving Henry Ford Health System in Michigan (“Henry Ford” or the “health system”) that was discovered by the health system on September 24, 2010. A follow-up posting in this series on November 24, 2010 reported that 3,700 individuals had been affected in the September 2010 Breach.

On February 25, 2011, Robin Erb, Medical Writer at the Detroit Free Press, wrote an article entitled, “Lost Device Compromises Medical Information of 2,777 Patients” relative to another security lapse in less than a year within Henry Ford (the “January 2011 Breach”). According to Ms. Erb, an employee of the health system lost a flash drive with information on 2,777 patients on January 31, 2011.

As Ms. Erb reported,

Hospital officials said it's unclear how the flash drive was lost. The device is not encrypted, as required to protect individual patients' information, officials said.

The information involved patients tested for urinary tract infections between July and October 2010 and included names, medical record numbers, test information and results.

While the first blog posting in this series about the November 2010 Breach gave a link to the Henry Ford posting of on its Web site about the security breach, that posting and link have apparently been already taken down by the health system. However, more than 500 other earlier stories dating back as far as March of 2005 remain on the Henry Ford News list. A visit today to the News list on the health system’s Web site also reveals that Henry Ford has made no posting to date about the January 2011 Breach.

HIPAA/HITECH provides that the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” The maximum time, therefore, for Henry Ford to notify the HHS about the January 2011 Breach is 60 days after the discovery date of January 31,2011 or April 1, 2011. Soon after notification by the health system to the HHS, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would add the January 2011 Breach. 

It is interesting that, while Ms. Erb’s article was published almost three weeks ago, nothing has apparently been published by Henry Ford about the January 2011 Breach on its Web site. Nor has the January 2011 Breach yet appeared on the HHS Web site. This matter warrants further monitoring.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing direct intervention by attorneys general with respect to enforcement actions regarding such breaches. Last week for the first time, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) exacted heavy financial obligations from (i) Cignet Health and its affiliates (“Cignet”) on February 22, 2011, with a $4.3 million civil monetary penalty assessment  (“CMP”) for violations of the HIPAA Privacy Rule and (ii) the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (collectively, “Mass General” ) on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 by Mass General for potential violations of HIPAA.

This is the first time that the OCR has publicized its activities in enforcement actions involving heavy monetary payments. Until now, as reported previously on this blog series, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut, Indiana and Vermont.

The cases of Cignet and Mass General are efforts by the OCR to demonstrate its seriousness in taking action against violations or alleged violations of HIPAA/HITECH.  In the OCR press release relating to Cignet (the “Cignet Press Release”), Kathleen Sibelius, Secretary Of HHS stated the following:

Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.

In the OCR press release relating to Mass General (the “Mass General Press Release”), OCR Director Georgina Verdugo was quoted as follows: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The close proximity of the two OCR actions and press releases is noteworthy. According to the Cignet Press Release, the Cignet case involved 41 patients, while, according to the Mass General Press Release, the Mass General case involved 192 patients. Each of these numbers is far fewer than the threshold of 500 affected individuals for listing on the HHS website (the “HHS List”). Some of the 241 incidents reported on the current HHS List involved hundreds of thousands, or even more than one million, affected individuals. It is clear that OCR felt it necessary to make examples of Cignet and Mass General.

The two cases are very different in that the Cignet Health payment involves a CMP imposed by OCR for violations that the OCR found Cignet to have committed, including, according to the Cignet Press Release, the fact that “. . . Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.” Therefore, the heavy CMP on Cignet would appear to based in major part on OCR’s view that Cignet flouted the authority of OCR to investigate alleged HIPAA Privacy violations. 

On the other hand, according to the Mass General Press Release, Mass General settled for a $1,000,000 payment and other compliance actions for “potential violations of the HIPAA Privacy Rule.” It is clear that Mass General, while having an incident that affected almost five times as many individuals as that of Cignet, exhibited a spirit of cooperation with OCR and, therefore, settled for less than one-fourth of the CMP imposed on Cignet and was not found by OCR to have committed a violation.

The juxtaposition of the two cases by OCR shows that cooperation may achieve significant benefits for alleged HIPAA violators, while those who fail to cooperate can be severely punished. The importance of these two cases warrants further discussion in future blog entries.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The New York City Health and Hospitals Corporation’s North Bronx Healthcare Network (“HHC”) has recently become perhaps the largest marcher in the parade of PHI security breaches with a reported 1,700,000 persons affected. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that HHC had a PHI security breach on December 23, 2010 (the “Breach”). Of the 242 records currently reported on the HHS List, the Breach is by far the largest with 1,700,000 affected individuals. The Breach apparently resulted from a “Theft” of “Electronic Medical Record, Other.” 

Unlike some other participants in the parade of PHI security breaches that have been reported in this blog series, it is refreshing to see that HHC has tried to be forthright in its communication on the HHC Website. The information regarding the occurrence may be found in a number of ways, including a search for "PHI security breach" directly from the HHC Home Page or by clicking on "Publications and Reports" from the HHC Home Page and then clicking on "Press Releases" where the relevant Press Release dated February 11, 2011, is the only listing to date for 2011 (the “Press Release”).

The HHC breach can become a financially costly one for HHC, as it potentially affected information covering twenty years relative to (i) personal information such as social security numbers, names, addresses, and other information that may be used to identify individuals; (ii) personal information and patients' medical histories; and (iii) personal information and employees' health information. The Press Release states the following: “The loss of this data occurred through the negligence of a contracted firm [identified in the Press Release as GRM Information Management Services ("GRM")] that specializes in the secure transport and storage of sensitive data. There is no evidence to indicate that the information has been inappropriately accessed or misused.”  The Press Release also reported that HHC is making available free credit monitoring and fraud resolution services for one year to those affected individuals who request it.

The Press Release states that the information was stolen when "the GRM van was left unattended and unlocked while the driver made other pickups.  GRM reported the incident to the police and dismissed the driver of the vehicle.  To date, the files have not been recovered."  Therefore, it can be reasonably inferred from the Press Release that at least a portion of the financial burden for HHC from the Breach will be shared by GRM.  GRM may even have some type of liability insurance coverage that will pay for some of the expenses flowing from the Breach. 

In this regard, my partner Elizabeth Litten, Esq., had previously discussed in a blog entry in this series the need for healthcare providers and business associates to investigate the possibility of obtaining insurance covering potential losses arising out of large PHI security breaches. The case of HHC may encourage greater attention to this area.

The prominent posting of the Breach on the HHC website demonstrates that HHC has made a commitment to act responsibly and do more than what is (again borrowing a phrase from HITECH in a totally different context) “the minimum necessary” for communicating a large PHI security breach. This should accelerate the rehabilitation of confidence and relations with patients, employees and HHC’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

 As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information ("PHI") have been bringing to light new breaches of PHI security and direct intervention by state attorneys general with respect to such breaches.

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. Nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.

Earlier blog postings reported on (i) a settlement by the Attorney General of Connecticut (the "Connecticut Settlement") of a lawsuit brought under HIPAA/HITECH for $250,000 against Health Net, Inc., and (ii) more recently, a lawsuit filed under Indiana state law for $300,000 against Wellpoint, Inc. by the Attorney General of Indiana (collectively, the "Earlier Actions").

On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the "Vermont Attorney General") announced in a press release (the "Press Release") that it had settled a lawsuit (the "Vermont Action"), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, "Health Net"). The Vermont Action involves a number of the same issues to which the Connecticut Settlement against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.

The settlement in the Vermont Action (the "Vermont Settlement") would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees alleged to have been affected by the Connecticut Settlement.

Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, was, unlike the Earlier Actions, brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is "Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009."

So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are often perceived by the public to be large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital, and what will be the basis for such a lawsuit.

In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.

Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. On January 19, 2011, a blog posting was made regarding two large PHI security breaches at The University of Rochester Medical Center (“URMC” or the “medical center”) in 2010 (the “2010 Breaches”). The posting reported that a review of the URMC website revealed no reference to either of the 2010 Breaches.

Shortly thereafter, I received the following comment from an anonymous “Dissent”:

The September 2010 breach is on their [University of Rochester (“UR”)] website.

You wouldn’t find it by searching the URMC site itself, though. I only found it by running the search on the main UR site.

The 2009 hack affecting 450 [individuals] wasn’t the medical center or PHI.

There was another 2009 incident that did involve the medical center, though, reported to the NYS CPB [New York State Consumer Protection Board]. It involved “insider wrongdoing,” but I do not know if PHI or patient data was involved or if [it] was employee data. The incident was never in the media and I never requested the report from NYS under FOI [Freedom of Information].

And yes, I think all entities should have links to disclosures prominently displayed or easy to find. 

Cheers,

/Dissent

I sincerely appreciate the knowledgeable information and clarification provided by Dissent. It is perplexing and somewhat illogical that the September 2010 Breach would be listed only on the UR website and not the separate comprehensive and extensive website of URMC, the institution at which the 2010 Breaches occurred. There is not even a cross-reference or link on the URMC site to the UR posting respecting the 2010 Breaches. 

Moreover, even with respect to the UR website, the posting respecting the September 2010 Breach should proactively inform affected individuals and the general public. The posting should not be so difficult to locate that only those who are specifically searching for the 2010 Breach with prior knowledge are likely to find it. Finally, query: why is the April 2010 Breach apparently not listed on either the UR or the URMC website?

As stated in my earlier blog entry, the posting of both of the 2010 Breaches on the URMC website in a reasonably prominent manner would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating large PHI security breaches. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

This blog series  has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The University of Rochester Medical Center (“URMC” or the “Medical Center”) joined in the parade of large PHI security breaches two times in 2010. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that URMC had two large security breaches during 2010 (the “2010 Breaches”). The first 2010 Breach posted for URMC on the HHS List on May 28, 2010, related to 2,628 individuals from an “Unauthorized Access of Paper Records” that occurred on April 19, 2010. The second 2010 Breach posted for URMC on the HHS List on September 21, 2010 related to 857 individuals from a “Lost Portable Electronic Device” that occurred on August 2, 2010. 

There are several interesting aspects about the URMC events. First, like the incident at University of Tennessee Medical Center discussed earlier in this blog series, URMC apparently has determined that it is not necessary or appropriate to publish the 2010 Breaches in the URMC Newsroom or elsewhere on the URMC website.  A review of the list of 345 stories presently posted in the 2010 News Archives on the URMC website revealed no reference to either of the 2010 Breaches.  

It is somewhat disappointing that URMC has chosen not to communicate with its Internet community on the 2010 Breaches, as numerous other institutions with large PHI security breaches have chosen to do. It is even more puzzling in light of the fact that Peter Chesterton, MBA, the long-time Chief Privacy Officer and Chief HIPAA Security Official for URMC, has been a recognized leader and lecturer in the area of PHI security and privacy. He is also currently listed as a member of the University of Rochester Data Security Taskforce in the Office of the Provost (the “Provost Taskforce”). 

Mr. Chesterton lectured at the 4^th Academic Medical Center Privacy and Security Conference on June 11, 2007 on the topic “Protecting PHI Shared with Private Physician Practices” and at the 5^th Academic Medical Center Privacy and Security Conference on March 2, 2009 on the topic “AMC Privacy and Security: New Challenges, NewSolutions – Best Practices for Compliance.”

As a matter of fact Slide 23 on “Recent Developments” in Mr. Chesterton’s 2009 presentation referred to a “recent security incident.” Presumably his reference was to a January 11, 2009 data security breach, which was reported by www.identitytheft.info  as having occurred at the University of Rochester (the “2009 Breach”), that involved 450 individuals from a “Hacked Database.”

It is not clear that the 2009 Breach involved PHI which is covered by HIPAA/HITECH or whether it related to the University of Rochester or URMC. In any event the 2009 Breach preceded the establishment of the HHS List and would not have been reportable on the HHS List had it been PHI because fewer than 500 individuals were affected. If the 2009 Breach related to the University of Rochester and not to the Medical Center, Mr. Chesterton’s knowledge of the 2009 Breach could have come from his membership on the Provost Taskforce.

Clearly Mr. Chesterton is not responsible for the publication policy of the URMC website or its news postings. However, I believe that the multiple occurrences of PHI security breaches in 2010 at URMC and is a serious matter. The posting of the 2010 Breaches (and the 2009 Breach if it related to the Medical Center) on the URMC website would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating a large PHI security breach. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

My colleague, Michael Kline, has been regularly reporting on this blog about the parade of Protected Health Information (PHI) privacy and security breaches that are occurring at large, sophisticated hospital systems, such as the Henry Ford Health System in Michigan, and health insurance carriers, such as Wellpoint, Inc. in Indiana.  A recent breach at the Puerto Rico Department of Health involved an estimated 400,000 individuals.  Breaches involving more than 500 individuals, including those referenced in this paragraph, must be reported to the Secretary of Health and Human Services (HHS) and can be accessed at the HHS Web site. 

If state agencies, insurance carriers, and large health care systems are vulnerable to the devastating aftermath of large breaches, how can a smaller covered entity, such as a free-standing specialty hospital or a physician practice group, or a business associate or subcontractor whose business does not revolve around or even frequently involve PHI, effectively limit its vulnerability to the heavy costs of a PHI security breach?

Whether HIPAA/HITECH privacy and security issues are in the forefront of an entity's compliance mindset or are a periodically worrisome background buzz, an entity should investigate measures to protect itself against privacy and security breaches and the ensuing economic costs associated with investigation of the potential breach, notice to affected individuals and, potentially, HHS, damage to reputation, remediation and protection actions, and, possibly, penalties, fines, and other damages asserted by the government or third parties.

I was intrigued to learn recently of a type of relatively new insurance coverage called "Privacy & Computer Security Protection." This coverage may be a good option for those among us who worry that even airtight, well-implemented policies and procedures may not be enough. Whether a breach results from human error (a typical cause for breach) or from organized or individual cyber crime such as hacking and stolen laptops (a less typical, but increasing risk), insurance companies such as Chartis, Beazley, and Hiscox are willing to underwrite certain computer security risks and cover specified losses that may be incurred by an insured from a PHI security breach.

According to my friends at Marsh USA Inc. (an insurance broker and an original creator of "cyber" policy forms), subject to the results of an underwriting pre-assessment of risks specifically associated with an entity that is applying for insurance coverage against losses from a PHI security breach, such an entity may pay as little as about $20,000 for $1 million in coverage. Insurance protection might cover claims arising from actual or alleged breaches of duty, neglect, or other acts, errors, or omissions that result in disclosure of PHI or other confidential information; vicarious liability for privacy breaches of an entity's vendor/subcontractor; costs associated with defense of regulatory actions; costs associated with compliance with PHI breach notification requirements, costs associated with public relations/crisis management professionals, etc.

The extent of financial risk involved in the HIPAA/HITECH security breach context is daunting. The cost of just setting up and operating a toll-free line for PHI security breaches involving 3,000 individuals is estimated by the federal Office of Civil Rights to be upwards of $8 million (table on page 42764).

I plan to review and report back in future blog postings on the current coverage options specifically designed to protect against the costs of HIPAA/HITECH security breaches, gaps that may exist in the currently available coverage and other related matters.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

On November 21, 2010, a posting on this blog discussed a PHI security breach involving Henry Ford Health System (“Henry Ford” or the “health system”).

The blog posting observed that the disclosure by Henry Ford on its Web site did not divulge the number of patients affected by the security breach. As discussed in the posting, the required time frame for the health system to notify the U.S. Department of Health and Human Services (“HHS”) is the same as that for notifying affected patients; therefore, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would soon reveal the number of affected patients. Indeed, a visit today to the HHS Web site reveals that the Henry Ford security breach is now listed and that the breach affected 3,700 patients. 

It is somewhat perplexing as to why the health system would have chosen not to have reported the number of affected patients on its own Web site. While every PHI security breach is costly and makes providers and insurers potentially vulnerable to embarrassment, criticism and diminished reputation, proactive transparency assists in rehabilitating relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches. 

An earlier posting reported that Richard Blumenthal, as Attorney General of Connecticut, has been especially prominent in investigating PHI security breaches affecting individuals in his state. He also distinguished himself by successfully recovering for Connecticut the first state settlement for PHI security breaches under HIPAA/HITECH in an amount of $250,000. 

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was pointed out in the earlier blog posting that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches. In this regard, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “Press Release”)  that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

Significantly, the lawsuit, which seeks $300,000 in civil penalties, is not being brought under HIPAA/HITECH but, according to the Press Release, under Indiana state law, which “requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay.” 

According to the Press Release, WellPoint was notified as early as February 22, 2010 and again on March 8, 2010 that health insurance application records containing personal information, such as social security numbers, financial information and health records, were accessible through its public website.  However, the Attorney General alleges that WellPoint did not begin notifying customers of the security breach until June 18, 2010 (over 100 days after WellPoint reportedly learned of the breach).  The Press Release continues that, following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010 (at least 144 days after WellPoint reportedly learned of the breach). The Press Release states that the WellPoint “delays in notice both to customers and to the Attorney General's office are considered unreasonable.”

HIPAA/HITECH has a more objective standard than the term “unreasonable delay” of the Indiana statute. Under HIPAA/HITECH, the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” WellPoint would clearly be well outside the 60-day limits for notification.  

It is not clear what led the Indiana Attorney General to determine to proceed under state law rather than HIPAA/HITECH, especially given the objective outside limit of 60 days under HIPAA/HITECH and the above-mentioned success of Mr. Blumenthal in Connecticut. Perhaps the decision was made in order to bring the action in the Indiana state courts rather than the federal courts, or there are facts and circumstances that the Attorney General believed favor use of the state law.

In any event, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law. Prompt, decisive and positive action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for undue delay in notification of PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link