Recent Healthcare Data Breaches: Key Cases to Know

Healthcare computer systems harbor the most useful three pieces of personal identifying information that can be used for fraud and identity theft – names, Social Security numbers, and dates of birth. With these three pieces of important and essential personal identifying data, hackers, fraudsters and impersonators can do virtually anything they would like.

Increase in Healthcare Data Breaches

In 2016, there were over 300 instances of healthcare data breaches. The Top Ten Healthcare Data Breaches of 2016 affected over 16 million people. There has been a significant increase in the number of healthcare data breaches that have occurred in just 2017 alone. The number of cyberattacks reported in March surpassed the number of cyber attacks that were reported in January and February combined, according to Healthcare ITNews. The March, attacks alone affected more than 1.5 million patients. This is a persistent problem for which it is difficult to manage. Being prepared for a data breach is sometimes the best that healthcare systems can do.

IVF Clinic’s Server Hacked in New Jersey

In late February, the New Jersey Diamond Institute for Fertility and Menopause discovered a serious breach of patients’ electronic health records. The health data of more than 14,500 patients was exposed in the incident, and officials are unclear when the breach was initiated. While some of the data that was contained on the breached server was encrypted, a multitude of other supporting medical documentation was stored in an unencrypted fashion on the affected server. Personal identifying information that was exposed in the breach includes:

• Names
• Addresses
• Date of birth information
• Social Security numbers for patients
• Sonograms
• Lab results

New Jersey Diamond Institute for Fertility and Menopause immediately reset all passwords for the system upon discover of the data breach, and updated its firewall protection software. Affected patients are currently being notified about the breach, and are being offered free credit monitoring services.

UK Health Systems Locked Down by Ransomware

A recent, and pretty scary, healthcare data breach involved computer systems at 16 hospitals in the United Kingdom that were simultaneously taken hostage by hackers. A ransomware attack rendered the computer systems useless, and because the hospitals could not access patient records, test results, or medical scans, patients were turned away from the affected hospitals in droves. While similar cyberattacks have happened in the United States, for example the 2016 attack on Hollywood Presbyterian Medical Center, the ransomware attack on the 16 UK health institutes is the most recent occurrence of healthcare systems being taken hostage by hackers.

Contact a Healthcare Cybersecurity Lawyer

Cyberattacks made on healthcare systems are occurring more frequently and healthcare systems are trying to keep up with their computer system safeguards. Ransomware is a cybersecurity threat that is more and more commonly being used against healthcare systems. Despite best efforts, cyberattacks keep successfully happening, and when they do, patients are the ones who suffer the most.

Revision Legal works with companies and healthcare systems to help manage cybersecurity issues and the aftermath of a cybersecurity breach. Contact the experienced healthcare data breach lawyers at Revision Legal. Please feel free to reach out to us today. Contact us using the form on this page or call us at 855-473-8474.

HIPAA, HITECH, and the Legal Obligations of Healthcare Entities After a Data Breach

Healthcare data breaches trigger a complex web of federal and state legal obligations. The Health Insurance Portability and Accountability Act (HIPAA), as enhanced by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, establishes minimum standards for the protection of protected health information (PHI) and mandates specific notification obligations when PHI is compromised.

The HIPAA Breach Notification Rule

Under 45 C.F.R. §§ 164.400–414, covered entities and their business associates must provide notification following a breach of unsecured PHI. A “breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. The regulations create a presumption of breach unless the covered entity can demonstrate a low probability that the PHI has been compromised based on a four-factor risk assessment: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom it was disclosed; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.

Notification must be provided to affected individuals without unreasonable delay and in no case later than 60 days following discovery of the breach. For breaches affecting 500 or more individuals in a state or jurisdiction, the covered entity must notify prominent media outlets serving the affected area. For breaches affecting 500 or more individuals nationwide, the entity must notify the Secretary of the Department of Health and Human Services simultaneously with individual notifications.

HITECH Enforcement and Civil Monetary Penalties

The HITECH Act dramatically increased the civil monetary penalties available for HIPAA violations and directed the HHS Office for Civil Rights (OCR) to increase enforcement activity. Civil monetary penalties are tiered based on culpability:

• Did not know: $100 to $50,000 per violation, with an annual cap of $1.5 million for identical violations.
• Reasonable cause: $1,000 to $50,000 per violation, same annual cap.
• Willful neglect, corrected: $10,000 to $50,000 per violation, same annual cap.
• Willful neglect, not corrected: $50,000 per violation, with no cap less than $1.5 million per violation category.

The OCR has collected tens of millions of dollars in HIPAA settlements and civil monetary penalties. Anthem’s $16 million settlement in 2018 following a breach affecting nearly 79 million individuals, and Community Health Systems’ $5 million settlement following a breach of 6.1 million patients, demonstrate the severity of enforcement actions against large healthcare organizations.

State Law Claims and Private Rights of Action

HIPAA does not provide a private right of action—individuals cannot sue a healthcare entity directly for HIPAA violations. However, HIPAA violations can serve as evidence of negligence per se in a state tort claim brought under state data breach statutes or common law negligence theories. Many states have enacted comprehensive health data privacy laws that provide private rights of action, and class action litigation against healthcare entities following large data breaches has become common.

Plaintiffs in healthcare data breach class actions typically assert claims for: negligence (failure to implement reasonable security measures), breach of implied contract (failure to protect patient information as implicitly promised), and violations of state consumer protection statutes. The main obstacle for plaintiffs is establishing cognizable injury—courts are divided on whether the increased risk of future identity theft, without actual present harm, is sufficient to confer Article III standing.

Ransomware: A Growing and Particularly Dangerous Threat

The ransomware attack that simultaneously disabled computer systems at 16 UK hospitals in 2017, attributed to the WannaCry malware campaign, illustrated the catastrophic operational consequences of healthcare ransomware. Hospitals that cannot access patient records, test results, or medical scans are forced to divert patients and cancel procedures—directly endangering patient health.

Under HIPAA, a ransomware attack that encrypts PHI constitutes a breach unless the covered entity can demonstrate that the PHI was encrypted prior to the ransomware attack using HIPAA-compliant encryption. Many healthcare entities that have been hit by ransomware have discovered, too late, that their data was not adequately encrypted before the attack, triggering full breach notification obligations in addition to the operational crisis.

If your healthcare organization has experienced or is concerned about a data breach, contact the cybersecurity and data breach attorneys at Revision Legal. We help healthcare entities navigate HIPAA compliance, breach notifications, and regulatory enforcement. Contact us today.