Archives: Alfred I. duPont Hospital for Children

By Michael Kline and Elizabeth Litten

 

[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]

 

The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.

 

Since the release by SAIC of the Public Statement, Law 360 has reported that

 

(i)   According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;

(ii)  A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and

(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach. 

 

Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.

 

On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data — such as medical appointments, treatments and diagnoses — across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:

 

So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.

 

Embedded later in the Post article is the following: 

 

The [2007] disclosure comes less than two years after a break-in at SAIC’s headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

 

It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information.  (A portion of such personal information would have been deemed PHI had it been part of health-related material.)

The SPAMfighter report also discloses the following:

Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC’s malware detection system. That breach had exposed mainly business account information.

As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach. 

Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.

By Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 2 shall have the meanings assigned to them in Part 1.]

 

In an October 3, 2011 Securities and Exchange Commission (“SEC”) filing posted on its Web site, SAIC described itself as

 

a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The company’s approximately 41,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. Headquartered in McLean, Va., SAIC had annual revenues of approximately $11 billion for its fiscal year ended January 31, 2011.

 

The SAIC PHI breach, which potentially affected nearly 5 million individuals, was reported despite the fact that the PHI was contained on backup tapes used by the military health system, and despite, as explained in the Public Statement: 

 

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure…  [Q and A] Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

 

The Public Statement goes on to say the following in another answer:

 

After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance. [Emphasis supplied.]

 

The lynchpin of SAIC’s final decision to notify all of the potentially affected individuals appeared to be the DoD guidance. In SAIC’s position as an $11 billion contractor that is heavily dependent on DoD and other U.S. government contracts as described above, it would appear that SAIC may not have had many practical alternatives but to notify beneficiaries.

 

SAIC conducted “careful deliberation” before reaching its result and indicated that the risk of breach was “low.” Had the DoD guidance not been a factor and had SAIC concluded that the case was one where an unlocked file or unencrypted data was discovered to exist, but it appeared that no one had opened such file or viewed such data, would SAIC’s conclusion have been the same? Would SAIC have come to the same conclusion as Nemours and decided to report? 

What is clear is that the breach notice determination should involve a careful risk and impact analysis, as SAIC asserts that it performed. Even the most deafening sound created by a tree crashing in the forest is unlikely to affect the ears of the airplane passengers flying overhead. Piping that sound into the airplane, though, is very likely to disgruntle (or even unduly panic) the passengers. 

 

[To be continued in Part 3]

By Elizabeth Litten and Michael Kline

A recent public statement (the “Public Statement”) was published regarding a breach (the “2011 Breach”) of protected health information (“PHI”) of nearly 5 million military clinic and hospital patients that involved Science Applications International Corporation (SAI-NYSE) (“SAIC”). The 2011 Breach occurred in SAIC’s apparent role as a business associate and/or subcontractor for Tricare Management Activity, a component of Tricare, the military health plan (collectively, “Tricare”) for active duty service members of the U.S. Department of Defense (“DoD”). 

 

According to the Public Statement the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the Public Statement says that there is no financial data, such as credit card or bank account information, on the backup tapes.

 

The 2011 Breach is the largest single PHI security breach reported to date. The 2011 Breach highlights the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (“HHS”), other regulators and potentially affected individuals of a PHI breach.

 

The published “interim final rule” governing “Breach Notification for Unsecured Protected Health Information” (the “Breach Notification Rule”)  defines “breach” as “the acquisition, access, use or disclosure of protected health information [“PHI”] in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”  The Breach Notification Rule also defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

 

These definitions, reviewed in the context of several recent PHI breaches (including those “marchers in the parade” previously discussed on this blog), raise an important issue: at what point does “access” matter?   When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

 

In this regard, an event reported on the Nemours Web site on October 7, 2011 (the “Nemours Report”), about a PHI security breach involving approximately 1.9 million individuals at a Nemours facility in Wilmington, DE is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project. 

Significantly, the Nemours Report stated the following:

There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.

The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identify theft protection, and call center support to affected individuals. 

 

If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify, or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.  

 

[To be continued in Part 2]