1 HIPAA & Costly Data Breaches Healthcare: Evolving Claims, Exposures and Regulatory Enforcement 2015 NLC- RISC Staff Conference October 19, 2015 Annapolis, MD
2 Presenters Mark Greisiger, NetDiligence John Mullen, Lewis Brisbois Bisgaard & Smith
3 Why Are We Here?
5 Healthcare Info Challenges: ephi Data is Everywhere! Highly Dependent on technology Collec1ng/ Sharing vast PRIVATE data Con1nuing to outsource (CLOUD) Replica1ng data everywhere Finding it difficult to trace data flow (your Cloud s cloud) Data & Dependencies are Everywhere: (1.) Servers; (2.) Corp Databases/Web Applica1ons; (3.) Remote Users ( Laptops/ iphones); (4.) Back- Up/Storage Facili1es; (5.) Service Providers/ CLOUD; (5.b) The Clouds for your Clouds (6.) Contractor systems, (7.) Credit Card Processors; (8.) Mobile Apps (9) your Big Data analy1c marketers etc
6 General Cyber Threats Insiders or Malicious and Disgruntled Employees o Changing data/ Dele1ng data/ Destroying data or programs with logic bombs/ Crashing systems/ Holding data hostage/ Stealing & selling data/ Entering data incorrectly Outside ABackers or 'Crackers' o Intrusion / hack o DDoS o Social Eng o hacking o Extor1on Viruses & Malware Non- Malicious - Employees (Errors or lost media) Non- Malicious - System/Coding Glitch 3 rd Party Partner/Vendor/Cloud Breach or Mishap
7 How Do Incidents Occur? Accidental Intentional Internal Lost Devices & Inadvertent Publication of Data Disgruntled Employees External Vendors & Subcontractors Hackers & Unsecured Websites
8 Assess Your Readiness Purpose: Showcase Strengths & ID Weakspots! Build on PCI, HIPAA! Privacy & Security...and other liabili1es! Reaﬃrm reasonable safeguards! Benchmark to Standards & Peers! Good faith eﬀort to compliance with Regs! Show Cloud Usage! Show lessons learned from past incidents (baele ready stance) Cyber Risk Insurability Assessment! Process should be collabora1ve! Educate Risk Manager/CFO about their own IT opera1ons! Wide- Angle: people, process & tech
9 4 Common Weak Spots PROBLEM 1) IDS or Intrusion Detection Software (Bad guy alert system)! Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3 rd parties (and many more go undetected completely).! FTC and plaintiff lawyers often cite failure to detect PROBLEM 2) Encryption (of private data)! Identity Theft Resource Center: Only 2.4% of all breaches had encryption! Issues: Budgets, complexities and partner systems! Key soft spots: data at rest...in database & laptops (lesser extent)! Benefits: Safe harbor (usually) PROBLEM 3) Patch Management Challenges:! All systems need constant care (patching) to keep bad guys out.! Lack of time: Gartner Group estimates that IT Managers spend an average of 2 hours per day managing patches. Problem 4) Vendor Mis-Management! Vendors in care, custody & control of systems or data! Often no oversight; No due Diligence! SLAs often disown security assurances! 1 on 3 events caused by 3 rd party vendor
10 Types of Data at Stake PHI Protected Health Information Information created or received by a covered entity or business associate relating to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies or can be used to identify individual PII Personally Identifiable Information i.e., Social Security number, driver s license number, bank account information, credit card information, online/financial account username and password, MEDICAL INFORMATION, HEALTH INSURANCE INFORMATION, and address and password in California, Florida, and Puerto Rico. PCI Payment Card Industry Information Cardholder data
11 Threats Malicious attack Hackers in network, Malware and viruses, Phishing scams, Physical theft of hardware and paper Rogue employees UNSOPHISTICATED ACTORS Employees Negligence related to use and storage of data, failure to follow or learn policies and procedures, loss of portable devices, mis-mailing of paper, unencrypted s to the wrong recipients Business Associates Any of the above can occur to a business associates with whom data is shared
12 HIPAA Set of national standards to protect protected health information that is created, received, used, or maintained Applies to covered entities and business associates Imposes reporting requirements and deadlines upon potential or actual unauthorized access, use, disclosure, or handling of protected health information
13 Covered Entity vs Business Associate Covered Entity Covered Entities are: Health plan (health insurance company; HMO; company health plan (self-insured); government program that pays for health care such as Medicare or Medicaid), Health care clearinghouse (includes entities that process nonstandard PHI received from another entity) Health care provider (doctor, clinic, dentist, chiropractor, nursing homes, pharmacies, psychologists) Required to comply with HIPAA s Privacy, Security and Notification Rules Business Associate Entity on behalf of covered entity creates, received, maintains, or transmits PHI for a function or activity regulated by HIPAA (includes data analysis, claims processing utilization review, quality assurance, billing, benefit management, practice management) or provides a service that involves the disclosure of PHI. Required to notify the covered entity of a breach no later than 60 days following discovery of the breach Content requirements: identification of affected population, and any other available information that the CE is required to include in notice to the affected individual. Required to comply with the Security Rule (administrative, physical and technical safeguards) No directly required to comply with the Privacy Rule, but often required to comply with certain sections under contract with the covered entity because the Privacy Rule protects PHI when it is created or maintained by a business associate and requires the covered entity to obtain satisfactory assurances from its business associate that it will employ appropriate safeguards.
14 HIPAA Security Incident v. Breach SECURITY INCIDENT is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system BREACH is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information
15 Non-Traditional PHI PHI is broadly defined and includes: any information relating to the provision of health care and a physical condition any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school, health clearinghousing, etc. Social Security numbers, payment information, dates of birth, contact information (telephone numbers, addresses), etc. alone trigger HIPAA Anthem
16 HIPAA Reporting Deadlines Deadline for breach reporting begins running from discovery Breach is treated as discovered as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. Covered entity is deemed to have knowledge of breach if such breach is known, or by exercising reasonable diligence would have been known, to any person other than the person committing the breach, who is a workforce member or agent of the covered entity.
17 HIPAA Reporting Deadlines, cont d Individuals without unreasonable delay and in no case later than 60 business days from discovery HHS without unreasonable delay and in no case later than 60 calendar days from discovery (over 500 affected), or no later than 60 calendar days following the year in which the breach occurred (less than 500 affected) Media without unreasonable delay and in no case later than 60 calendar days following discovery (over 500 in one state or jurisdiction)
18 HIPAA: OCR Investigations OCR will likely investigate any breach involving over 500 affected individuals OCR will request information relating to compliance of the Privacy Rule, Security Rule, and Breach Notification Rule at the time of breach reporting, and in subsequent investigation Responses to a request for information are due within twenty (20) to thirty (30) days of the date of OCR s request The length of an investigation may vary can be years OCR will attempt to resolve the investigation with the covered entity by obtaining: Voluntary compliance; Corrective action; and/or Resolution agreement. If an OCR investigation results in a finding of non-compliance of HIPAA, HHS may initiate a formal enforcement action that may result in the imposition of civil money penalties, or take other actions consistent with OCR s jurisdiction, including the referral of the complaint to the Department of Justice for investigation To prepare for OCR investigation some covered entities are taking steps to achieve voluntary compliance to mitigate potential fines that may result from a breach
19 HIPAA: Penalties for Noncompliance OCR may impose a civil money penalty on a covered entity or a business associate for a failure to comply with an applicable requirement of the Privacy, Security, or Breach Notification Rule. Considerations for penalty assessments: The nature and extent of the violation; The nature and extent of the harms resulting from the violation; THE HISTORY OF PRIOR COMPLIANCE, including previous violations; and The financial condition of the covered entity or business associate
20 OCR Enforcement Highlights The most common compliance issues investigated are: Impermissible uses and disclosures of protected health information LACK OF SAFEGUARDS OF PROTECTED HEALTH INFORMATION Lack of patient access to their protected health information Lack of administrative safeguards of electronic protected health information Use or disclosure of more than the minimum necessary to protected health information The most common types of covered entities required to take correction action to achieve voluntary compliance are: Private practice General hospitals Outpatient facilities Pharmacies Health plans (group health plans and health insurance issuers
21 OCR Settlement Highlights Concentra Health Services (Concentra) Unencrypted laptop containing protected health information of 870 patients. OCR found: Concentra failed to adequately remediate and manage its identified lack of encryption and failed to sufficiently implement policies and procedures to prevent, detected, contain, and correct security violations to reduce its identified lack of encryption. $1,725,220 settlement Presbyterian Hospital & Columbia University (2014) ephi accessible through internet search engines related to 6,800 individuals. OCR investigation found: hospital made no effort to assure the server was secure or contained appropriate software protections; no thorough risk analysis or risk management plan; failed to implement appropriate policies or to enforce those it did have in place $4.8 million settlement Anchorage Community Mental Health Services (ACMHS) Malware infected ACMHS s information technology resource system 2,743 affected individuals $150,000 settlement and agreement to adopt corrective action plan
22 State Regulatory Exposures 47 states (plus Puerto Rico, Washington D.C., Virgin Islands) require notice to residents after unauthorized access to personally identifiable information. Some states contain express language relating to HIPAA that allow simultaneous compliance with HIPAA and state law as it relates to individual notice (state regulator notice may be required) Require companies that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information (includes health information in some states) Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Notice due without unreasonable delay Some states are requesting an Assurance of Voluntary Compliance Some states allow private right of action for violations
23 Evolving Exposures VERMONT Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) KENTUCKY Became 47th state with breach notification law in April 2014 FLORIDA Notice to affected within 30 days address and PW = PII MASSACHUSETTS Written information security plan for businesses storing MA resident personal information NEW JERSEY Username/ address and PW = PII (passed Assembly, currently in Senate committee) Certain health insurers must encrypt PII INDIANA Notice without unreasonable delay interpreted by AG as 30 days Recent surge in Assurance of Voluntary Compliance requests CALIFORNIA address and PW = PII Amendment effective 2015 requires entity providing notice to offer appropriate identity theft prevention and mitigation services if the entity was source of breach. Strict health information protection Notice to DPH and affected individuals within 15 business days of learning of breach CONNECTICUT AG practice of requesting 2 YEARS OF CREDIT MONITORING following SSN exposure, though not in statute Statute requiring at least one year of identity theft prevention and mitigation services, and notice within 90 days (although AG issued a statement stressing notice within 90 days could still be unreasonable delay) PENNSYLVANIA AG requests notice if incident affects PA residents, though no statutory requirement
24 State Law: Evolving Exposures California Personal information triggering notice includes medical information and health insurance information. Strict health information protection: Notice to Department of Public Health and affected individuals within 15 business days of learning of breach (CMIA). Florida Notice to affected within 30 days. Any information regarding an individual's medical history, mental or physical condition or medical treatment or diagnosis by a health care professional is considered personal information. Montana New regulatory requirement and expansion of the definition of personally identifiable information to include medical record information and taxpayer identification numbers (effective October 1, 2015). Nevada Expanded the definition of personally identifiable information to included driver authorization card numbers, medical identification or health insurance identification numbers, user names, unique identifiers, or addresses in combination with passwords, access codes or security questions (effective July 1, 2015). Oregon Requires regulator reporting by the entity maintaining or possessing personal information on behalf of another entity in addition to reporting the breach to the affected state resident (pending). Wyoming Expanded the definition of personally identifiable information to include medical information, health insurance information and unique biometric information.
25 Regulatory Action State AGs Kaiser Foundation Health Plan Inc. (2014) (California AG) 20,0000 affected Breach occurred December 2011; notice provided March 2012 Settlement requires notification on a rolling basis (as soon as reasonably possible after identifying a portion of the total affected population) Kaiser Permanent paid $150,000 in penalties and attorneys fees Beth Israel Deaconess Medical Center (2014) (Massachusetts AG) Theft of unencrypted laptop 3,796 affected Breach occurred May 2012; notice provided August 2012 Settlement included payment of $100,000, security assessment, corrective measures and steps to ensure future compliance with state and federal data security laws and regulations (i.e., encryption and training)
26 Regulatory Action State AGs Massachusetts: Women & Infants Hospital of Rhode Island (WIH) (2014) (Massachusetts AG) WIH discovered 19 unencrypted backup tapes containing PII of 12,000 Mass. residents were missing in April 2012 after they were supposedly shipped in the summer of 2011; no notice to consumers and regulators until the fall of $150,000 settlement. WellPoint (2011) (Indiana AG) Records (including SS#s, health and financial info) of over 32,000 Indiana residents were potentially accessible on an unsecured website (Involved 645,000 nationally) Settlement includes $100,000 fine to the state, up to two years of credit protection to affected state residents, and reimbursement of up to $50,000 for any losses
27 Federal Trade Commission Applies to a vendor of personal health information, a PRH-related entity, or a third-party service provider for a vendor of PHRs or a PHR entity who are not otherwise obligated to comply with HIPAA FTC s breach notification rule parallels HIPAA. OCR and FTC may engage in parallel audits which may include exchange of information Individual notice is required without unreasonable delay and within 60 days of discovery of the breach. If more than 500 individuals are affected, notice is required to the FTC within 10 business days. If less than 500 are affected, notice is required to the FTC within 60 days following the end of the calendar year. Audit/Investigation Fines may be $16,000 per violation
28 Litigation Trends SINGLE PLAINTIFF Identity theft Privacy GOVERNMENT ACTION Attorney General FTC HHS SUBRO/INDEMNITY Contractual Issues (Business Associate Agreements) BANKS Cost of replacing credit cards Reimbursement of fraudulent charges Business interruption CLASS ACTION Failure to protect data Failure to properly notify Failure to mitigate Unjust enrichment Violations of consumer protection Statutory Time
29 Incidents to Watch Anthem (2015) 80 million affected Class actions filed in Alabama and California federal courts Premera (2015) 11 million affected At least 5 class actions filed to date Excellus (2015) 10.5 million affected At least 5 class actions filed to date and filed in federal court
30 What Can Be Done? PROACTIVE RISK MANAGER STEPS! EMPOWERED SENIOR EXECUTIVE! Talk to your IT Security staff. Gain an appreciation of the many challenges! KNOW: How many records you have; what type of data is being collected, stored, shared, protected; where does all this data reside; when is it purged?! ASSESS & test your own staff and operations! Incident response plan! Document your due care measures (training and enforcement)! INSURANCE! Red Flags, data security and breach response plans affirmative duties! Service level agreements! Repeat
31 THANK YOU! John Mullen Mark Greisiger