1 / 36

Lessons Learned from Civil and Criminal Cases Resulting From Health Care Data Breaches

Lessons Learned from Civil and Criminal Cases Resulting From Health Care Data Breaches presented by Helen Oscislawski, Esq . March 1, 2016 NJAMHA A IT Project Pines Manor, Edison, New Jersey.

karenhuerta
Download Presentation

Lessons Learned from Civil and Criminal Cases Resulting From Health Care Data Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lessons Learned from Civil and Criminal Cases Resulting From Health Care Data Breaches presented by Helen Oscislawski, Esq. March 1, 2016 NJAMHA A IT Project Pines Manor, Edison, New Jersey

  2. 1 in 3 Americans’ healthcare records were leaked as a result of hackingand IT-related breaches in 2015. Bitglass Healthcare Breach Report 2016 . http://pages.bitglass.com/Healthcare-Breach-Report-2016.html

  3. Big Data Breaches - By SIZE & Date 2015 – 4 (99.4 Million) 2014 – 1 (4.5 Million) 2013 – 2 (5.33 Million) 2012 – 0 2011 – 4 (8.8 Million) 2010 – 1 (1.7 Million) 2009 - 2 (2.24 Million) Source: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=4

  4. Big Data Breaches - By TYPE 6 Cyber Attacks 5 Thefts (unencrypted devices) 3 “We Can’t Find it” (lost) Source: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=4

  5. What We Fear After a Breach Department of Health and Human Services (HHS) & Office Civil Rights (OCR) • Reporting Breach • Investigation • Enforcement • Penalties or Settlement Agreement • Corrective Action Plan (CAP) State Attorneys General Lawsuits (Individuals and Class Actions) Criminal Prosecution (Federal DOJ or State AG)

  6. Enforcement OCR

  7. OCR Resolution Agreementssee www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html 7 ½ years of enforcement (July 2008 – Feb 2016) 32 Cases (30 Settlements & CMPs in 2 cases) 2015 = 6 cases ($6,193,400 collected) 2014 = 7 cases ($7,940,220 collected) 2013 & 2012 = 5 cases/yr ($8,590,780 collected) 2011= 3 cases ($6,665,500 collected) (CignetCMP) 2010 = 2 cases ($1,000,035 collected) 2009 & 2008 = 1 case/yr ($2,350,000 collected) Breach reporting #1 reason why an investigation was opened.

  8. OCR Resolution Agreementssee www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html July 16, 2008: Providence Health & Services ($100K) January 16, 2009: CVS Pharmacy, Inc. ($2.25M) July 27, 2010: Rite Aid Corporation ($1M) December 13, 2010: MSO Washington, Inc. ($35K) February 4, 2011: Cignet Maryland(CMP $4.3M) February 14, 2011: Gen Hospital & Mass General Phys($1.5M) July 6, 2011: UCLA Health System ($865,500K) March 13, 2012: BCBS Tennessee ($1.5M) (con’t…..)

  9. Case Examples & Resolution Agreements(continued) April 13, 2012 : Phoenix Cardiac Surgeons ($100K) June 26, 2012: Alaska DHSS($1.7M) September 17, 2012: Mass Eye & Ear Associates ($1.5 M) December 31, 2012: Hospice of Northern Idaho ( $50K) May 21, 2013: Idaho State University ($400K) June 13, 2013: Shasta Regional Medical Center ($275K) July 11, 2013: WellPoint($1.7M) August 14, 2013: Affinity Health Plan ($1,215,780) Dec 24, 2013: Adult/Pediatric Dermatology P.C. ($150K) (con’t…..)

  10. Case Examples & Resolution Agreements(continued) March 7, 2014: Skagit County, Washington ($215K) April 22, 2014: QCA Health Plan Inc. ($250K) April 22, 2014: Concentra Health Services ($1,725,220) May 7, 2014: NY and Presbyterian Hospital ($3.3 M) May 7, 2014: Columbia University ($1.5M) June 23, 2014: Parkview Health System ($800K) Dec 2, 2014: Anchorage Comm. Mental Health ($150K)

  11. Case Examples & Resolution Agreements(continued) April 22, 2015: Cornell Prescription Pharm ($125K) June 10, 2015: St Elizabeth Medical ($218,400) August 31, 2015: Cancer Care Group ($750,000) November 24, 2015: Lahey Hospital ($850,000) November 30, 2015: Triple S Management Corp ($3.5M) December 15, 2015: Univ of Washington Medicine ($750,000) February 3, 2016: Lincare Inc.(CMP $239,800) February 16, 2016: Pool & Land Physical Therapy ($25,000)

  12. Pool & Land Physical TherapyFebruary 16, 2016 - $25,000 Settlement & 1 YR CAP Facts: August 8 2012, OCR received a complaint from patients that Pool & Land PT was posting patient testimonials with facial images on website without patients’ authorization OCR Findings: • Marketingpurposesrequire HIPAA Authorization • Failed to develop and implement P&Ps that addresses posting PHI to internetand socialmediarequires a signed HIPAA Authorization • Required removal of all PHI from its website ANDbesteffortsto remove all cached versions from the Internet!!

  13. Lincare Inc.February 13, 2016 - $239,800 CMP Facts: Lincare provides respiratory care infusion therapy and medical equipment to patients in homes. 1200 facilities nation-wide. Faith Shaw was Manager of Lincare facility in Arkansas. Ex-husband Richard Shaw complained to OCR late 2008 that Ms. Shaw left PHI in car and in house after she left him. OCR investigated and found that Lincare did not have adequate P&Ps to record and track where PHI was when it was taken off site. Lincare refused to acknowledge that they did anything wrong and to correct P&Ps. OCR assessed penalties, and Lincare appealed to ALJ. ALJ upheld the OCRs authority and CMP. Relevant OCR & ALJ Findings: • P&Ps must address a mechanism to record and track PHI that is removed “off site” • Argument that Mr. Shaw “stole” the PHI or “wrongfully” accessed it is irrelevant to the analysis becauseadequate safeguards were not in place to prevent his “theft” in the first place • Lincare is vicariously liablefor the actions of Ms. Shaw as their employee and “should have known” or by “exercising reasonable diligence, would have known” that the PHI was compromised and not safeguarded.

  14. Univ of Washington MedicineDecember 14, 2015 - $750,000 and 1 YR CAP Facts: UWM reported a breach after employeedown loaded an e-mail with attachment that contained malicious malware which compromised IT system and affected 90,000+ patients’ data. OCR investigated and found that UWM comprised of 12 affiliated entities, but noone was making sure that the affiliated entities are HIPAA compliant. Risk Analysis did not include the external affiliated entities! OCR Findings: • Risk Analysis must be conducted for all affiliated entities, and updated annually or as necessary “in response to environmental or operational changes that affect the security if ePHI. • Employees must be trainedon phishing and malware

  15. Triple S Management CorpNovember 30, 2015 - $3.5M and 1 YR CAP Facts: Triple S, a parent company for health insurance subsidiaries, reported numerous breaches over a 5-year period. Nov 2010 breach involved failure to terminate access credentials of former employees who proceeded to access PHI after termination. Multiple reports of sending data through vendor without a BAA in place (reportable?) and one report of employee copying CD with e-PHI and downloading it to computer of new employer. Finally, after receiving multiple breach reports, OCR launched an investigation. Found “widespread [HIPAA] non-compliance throughout the various subsidiaries of Triple-S” OCR Findings: • Enterprise-wide Risk Analysis must be conducted for all entities under “control” of parent • Implementation of P&Ps for all areas that Triple-S fell short on

  16. Other Lessons Learned from OCR Encryptlaptops and mobile devices, including thumb drives! • Providence Health ($100K) • Idaho Hospice($50K) • Mass Ear/Eye MDs ($1.5 M) • Alaska DHSS ($1.7M) • Concentra ($1.725M) (if you don’t, document the alternative used) • QCA ($250K) Dispose of PHI properly, including wiping leased copiers of ePHI! • CVS ($2.25M) • Rite Aid ($1M) • Affinity Health ($1.2M) (purge ePHI from copiers & devices!) • Parkview Health System ($800K) (don’t leave PHI in driveways!) Don’t take PHI off-site! (Gen Hospital Corp. & Mass Gen MD Org ($1.5M)) Enter into BA Agreements with vendors who store or secure your PHI! • BCBS Tennessee ($1.5M) • AZ Cardiologists ($100K)

  17. Enforcement Lessons Learned Perform andUpdateSecurity Risk Assessments, especially with system upgrades • BCBS Tenn ($1.5M)) • Idaho State Univ ($400K) • Wellpoint ($1.7M) • Columbia ($1.5) / NY Presbyterian ($3.3M) • Anchorage ($150K) (don’t use outdated software, and fail to update patches) Ensure you have Control Policies over your Devices and Media (Cancer Care) Apply Minimum Necessary to disclosure within organization! (Shasta Medical) Train & Sanction Employees, Including executives(Shasta Medical ($275K) CORRECTViolations! (if done within 30 days is an affirmative defense) • Cignet Maryland ($4.3M) • UCLA ($865K) • Lincare ($239,800K) Cooperate with OCR! Cignet Maryland ($4.3M) & Lincare

  18. Enforcement Lessons Learned (con’t) Have written Policies, and Implement effectively • Providence Health ($100K) • CVS ($2.25M) • Rite Aid ($1M) • MSO Washington ($35K) • Cignet Maryland ($4.3M) • General Hospital Corp. & Massachusetts General Physicians ($1.5M) • UCLA ($865,500K) • BCBST ($1.5M) • AZ Cardiac MDs ($100K) • Alaska DHSS ($1.7M) • Mass MDs ($1.5 M) • Idaho Hospice($50K) • A&P Dermatology ($150K) • Shasta ($275) • Wellpoint ($1.7M) • Affinity ($1.2M) • Skagil ($275K)

  19. Lawsuits

  20. Causes of Action(“civil” lawsuits) Federal Law • HIPAA • Fair Credit Reporting Act • “Wiretap Act” State Law • Tort • Breach of Contract • Strict Liability Class Actions

  21. HIPAA “Patients cannot sue for violations of HIPAA under the statute. The HIPAA statute does not provide a private right of action for an individual to sue under….”

  22. BUT… is HIPAA the “Standard of Care”? At least 10 states (Delaware, Connecticut, Kentucky, Maine, Minnesota, Montana, North Carolina, Tennessee, Utah, West Virginia) have published judicial decisions and precedent supporting that a court may at least lookto HIPAA when considering the relevant standard of care for state privacy violation claims brought by individuals. Byrne v. Avery Center for Obstetrics and Gynecology, the Connecticut Supreme Court went one step further and concluded that HIPAA regulations can establish the standard of care in certain situations!

  23. Byrne v. Avery Center for Obstetrics and Gynecology, P.C Facts: Emily Byrne, asked Avery Center for Obstetrics and Gynecology not to provide her PHI to her significant other (HIPAA’s Request for Restriction). The Center received a subpoena from her significant other’s attorneys in a paternity suit, and promptly turned over the information without alerting the patient or fighting the subpoena in court. • Byrne sued Avery Center for negligence, but a lower court ruled that HIPAA preempted the negligence suit. Byrne then appealed. Holding: November 2014, the Connecticut Supreme Courtoverruled the lower court and pointed to language in the preamble to the final HIPAA to permit privacy lawsuits based on State Law to go forward. HIPAA does not preempt state law cases of action. Impact: De facto right of action under HIPAA, which could subject health care providers to more lawsuits for breaching patient confidentiality

  24. Walgreens Walgreen Co. v. Abigail E. Hinchy, N.E. 3d 99 (Ind. Ct. App 2014) (rehearing denied Jan 15 2015). • Pharmacist was married to the plaintiff’s boyfriend at the time she looked at the plaintiff/customer’s prescription records and shared them with her then-husband, who was also plaintiff/customer’s ex-boyfriend. • Walgreens disciplined pharmacist, but did not terminate her. Plaintiff alleged: (1) Wallgreensfailed to appropriately train pharmacist; (2) Negligence (HIPAA is a standard of care), Invasion of Privacy, and (3) Respondent Superior– and, the jury agreed! Jury awards $1.44 million to a customer/plaintiff July 26, 2013 Wallgreens appeals, but court DENIESrehearingon Jan 15, 2015.

  25. Consumer Breach Class Actions PF Chang’s China Bistro • Plaintiffs alleged restaurant chain failed to properly safeguard customer credit card data that was compromised during the breach. Plaintiffs alleged several types of damages from the security breach, including overpayment for services, fraudulent charges on their accounts, and the increased risk of identity theft. • Court rejected those arguments in concluding that the plaintiffs had failedto allege any out-of-pocket losses or actual damages that would have allowed them to proceed with their claims. • December 11, 2014, the U.S. District Court for the Northern District of Illinois dismisseda proposed class action over a June 2014 data breach. No actualharm had been alleged. The plaintiffs filed an immediate notice of appeal to the Seventh Circuit….. Lewertv. P.F. Chang's China Bistro Inc., No. 1:14-cv-04787, and Kosnerv. P.F. Chang's China Bistro Inc., No. 1:14-cv-04923, both in the U.S. District Court for the Northern District of Illinois.

  26. Will Healthcare Breach Class Actions Be Treated Differently? Advocate Health & TRICARE – so far, class actions are generally being dismissed for failure to show actual sustained damages or harm. Tracking other commercial breaches that resulted in class action suits. Exceptions: • Charleston Medical Centerin West Virginia, State Supreme Court overruled and certified the class despite no showing of damages. • AvMedsettles for $3 Million with 1.2 Million individuals from 2009 breach. (Florida) • Stanford Hospital & Clinics + 2 Business Associates settle with 20,000 patients for $4 Million due to a 2011 breach

  27. Developments on the Horizon Premera - At least 5 class actions filed. Anthem- Class actions filed in Alabama, California and Indiana. Arguments range from “overpaid premium” where Anthem didn’t use money to implement appropriate security safeguards to “imminent danger” of identity theft. Note that no encryption and prior incidents (2012 breach). MIE (Medical Informatics Engineering)- Class Actions started being filed over last summer.

  28. Premera - Four Causes of Action #1 Negligence Must show that an entity: • (1) had a duty to the plaintiff, • (2) the entity breached the duty, • (3) the plaintiff suffered damages, and • (4) the entity’s acts caused the damage. The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs.  Premerabreached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.

  29. Premera - Four Causes of Action #2 Bailment “Bailment” is actionable when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled. (i.e., “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”) The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it.  Premera breached its bailment by failing to protect the information which resulted in the data breach.

  30. Premera - Four Causes of Action #3 Breach of Contract Complaint alleges that Premera’sNotice of Privacy Practices (NPP)states that Premera must take measures to protect each beneficiary’s health information. Unclear whether court will accept argument that NPP is actually a contract between a covered entity and individuals. HOWEVER, the fact that such arguments are being raised underscores that NPPs should be carefully drafted.

  31. Premera - Four Causes of Action #5 Washington State Data Breach Claim Complaint alleges that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute. Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.

  32. Criminal Prosecutions

  33. HIPAA’s Criminal Section • HIPAA Statute says: • § 1320d-6 of HIPAA prohibits anyone from knowinglyaccessingindividually identifiable health information from a covered entity without authorization. So, YES, an individual person canbe prosecuted criminally for wrongfully and intentionally obtaining PHI without authorization from Covered Entity.

  34. Holland, Miller and Griffin

  35. Huping Zhou

  36. Helen Oscislawski, Esq. Principal, Attorneys at Oscislawski LLC helen@oscislaw.com 609-835-0833 Thank you. Any questions?

More Related