The Quest Diagnostics data breach is one of the most significant health care entity security hacks of 2016. In late November, Quest Diagnostics, a medical laboratory company used by countless health care entities nationwide, announced that it had recently identified itself as a victim of a data breach. According to the company, an unauthorized third party gained access to Quest Diagnostics’ computer systems and compromised patient information kept in the system by exploiting security weaknesses in an internet application called MyQuest by Care360.

The health and personal information of more than 34,000 patients who used the MyQuest by Care360 application were exposed in the Quest Diagnostics data breach. Personal identifying information, such as patient name, dates of birth, telephone numbers, health information, and laboratory test results, was just some of the patient information that was compromised in the data security breach. No credit card, debit card, insurance, or other financial information was exposed in the attack, nor were any patient Social Security numbers disclosed as part of the hack.

Upon identifying the hack, Quest Diagnostics took immediate steps to contain the intrusion into their system, and began addressing the vulnerabilities in their internet application that were used by the hackers to compromise patient data. Even though there has been no indication that the exposed data has been misused in any way, victims of the Quest Diagnostics data breach are being notified in compliance with applicable data breach notification laws.

Why Do Hackers Go After Patient Healthcare Information?

Healthcare data is a particularly attractive target for cyber hackers. Patient information obtained from a healthcare entity is not easy to change once a hack has been detected. Unlike information stolen from a bank or financial institution where new passcodes or cards can be issued to restore the security of the system, healthcare data is permanent information that does not change. Healthcare data systems are also packed with vulnerabilities because federal law required that all healthcare entities adopt electronic health records for their patients in a relatively short period of time, and many entities did not have sufficient time to implement secure and protected systems that were fully vetted for security vulnerabilities.

HIPAA Obligations in Healthcare Data Breaches

Healthcare data breaches like the Quest Diagnostics incident trigger a dense web of legal obligations under federal law. Any covered entity — a term that includes healthcare providers, health plans, and healthcare clearinghouses — and any business associate of a covered entity that experiences a breach of protected health information (PHI) must comply with the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414.

What Is Protected Health Information Under HIPAA?

HIPAA’s definition of protected health information is broad. PHI encompasses any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate in connection with the provision of healthcare, payment for healthcare, or operations of a healthcare entity. This includes names, dates (including birth dates), telephone numbers, geographic identifiers, and any information that relates to the past, present, or future physical or mental health condition of an individual — exactly the categories of data that were exposed in the Quest Diagnostics breach.

The definition under 45 C.F.R. § 160.103 covers 18 specific categories of identifiers. Notably, even a combination of relatively innocuous data elements — name and date of birth, for example — constitutes PHI when linked to health information. The practical effect is that almost any data exposed in a healthcare application breach will qualify as PHI subject to the Breach Notification Rule.

Notification Requirements Under the HIPAA Breach Notification Rule

When a covered entity or business associate discovers a breach of unsecured PHI, the Breach Notification Rule imposes three notification requirements:

• Individual notification. Affected individuals must be notified in writing within 60 days of discovering the breach. The notice must describe what happened, the types of PHI involved, steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate the breach, and contact information for follow-up questions.
• HHS notification. All breaches must be reported to the Department of Health and Human Services. Breaches affecting 500 or more individuals must be reported to HHS contemporaneously with individual notification. Breaches affecting fewer than 500 individuals may be logged and reported to HHS annually.
• Media notification. Breaches affecting 500 or more individuals in a single state or jurisdiction must be reported to prominent media outlets serving the affected area, in addition to individual and HHS notification. This requirement is designed to ensure that affected individuals who may not receive individual notice are still informed.

Civil Monetary Penalties for HIPAA Violations

The Office for Civil Rights (OCR) at HHS enforces HIPAA and is authorized to impose civil monetary penalties (CMPs) for violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The penalty structure, established at 42 U.S.C. § 1320d-5 and implemented through regulations at 45 C.F.R. Part 160, Subpart D, imposes penalties on a tiered basis depending on the covered entity’s culpability:

• Unknowing violations: $137 to $68,928 per violation.
• Reasonable cause (not willful neglect): $1,379 to $68,928 per violation.
• Willful neglect, corrected: $13,785 to $68,928 per violation.
• Willful neglect, not corrected: $68,928 to $2,067,813 per violation category per year.

OCR has pursued enforcement actions resulting in settlements well into the millions of dollars against healthcare entities that failed to implement adequate security measures or failed to conduct required risk assessments. A covered entity that never performed a security risk analysis of a patient-facing application — such as MyQuest by Care360 — faces heightened penalty exposure under the willful neglect tiers.

Business Associate Liability

Healthcare breaches frequently involve business associates — third-party vendors that handle PHI on behalf of covered entities. Quest Diagnostics’ application was a patient-facing tool that by definition collected and transmitted PHI. The vendor that developed and maintained the MyQuest application qualifies as a business associate under 45 C.F.R. § 160.103, and as a business associate is directly subject to the HIPAA Security Rule and Breach Notification Rule. Business associates can be directly investigated and penalized by OCR independent of the covered entity with which they contract.

The legal arrangement between a covered entity and a business associate must be documented in a Business Associate Agreement (BAA), which must specify the permitted uses and disclosures of PHI and must require the business associate to implement appropriate safeguards, report breaches to the covered entity, and comply with applicable HIPAA rules. A covered entity that works with a business associate without a compliant BAA faces independent HIPAA liability for that structural failure.

State Healthcare Privacy Laws

HIPAA sets a federal floor for healthcare privacy, but many states have enacted healthcare privacy statutes that impose additional requirements. California’s Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq., imposes strict liability on providers and their contractors for negligent disclosures of medical information and authorizes civil penalties of up to $250,000 per violation, as well as private civil claims for nominal and compensatory damages. New York’s Public Health Law § 18 imposes independent patient record access and confidentiality requirements. Healthcare entities operating in multiple states must account for both the HIPAA floor and any more demanding state law requirements in their security and breach response programs.

What Patients Affected by a Healthcare Data Breach Should Do

• Read the breach notification carefully. Identify exactly what information was exposed and whether the entity is offering credit monitoring, identity protection, or other remediation services.
• Monitor for identity theft. Healthcare data can be used to commit medical identity theft — obtaining healthcare services or prescriptions in the victim’s name. Review explanation of benefits (EOB) statements for any services you did not receive.
• Place a credit freeze or fraud alert. Even where Social Security numbers were not exposed, exposed combinations of name, date of birth, and phone number can be combined with other stolen data to enable identity theft.
• Consult an attorney. If you suffered financial harm or identity theft as a result of a healthcare data breach, you may have claims under HIPAA’s civil enforcement framework or under applicable state healthcare privacy laws.

Contact a Healthcare Data Breach Attorney

Revision Legal represents healthcare entities, business associates, and patients affected by healthcare data breaches. If your organization has experienced a HIPAA breach or you have been notified that your healthcare information was exposed, contact the data breach attorneys at Revision Legal today.