Recent Developments in Privacy/Security Litigation

Recent Developments in Privacy/Security Litigation Elizabeth F. Hodge February 25, 2015

Privacy & Security Enforcement HIPAA Office for Civil Rights State Attorneys General Federal Trade Commission (FTC) State privacy laws Florida Information Protection Act Private lawsuits State Insurance Commissioners

Why Should I Care? Financial cost to entity if there is a breach Staff time Outside consultants Notification to individuals Credit monitoring Fines/penalties Defending ensuing litigation Reputational harm to entity if there is a breach

Quantifying the Cost $145 average cost per record involved in a breach $509,237 average notification cost per breach in U.S. $1,599,996 average post data breach cost in U.S. (for remedial action) $5.85 million average cost of a data breach in the U.S. Costs of healthcare breach typically higher than the average cost Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis

HIPAA Enforcement

HIPAA, Briefly Covered entities are required to protect the confidentiality, integrity and availability of protected health information (PHI) of individuals Health plans (including self-funded employer health plans) Health care clearinghouses Health care providers conducting covered transactions Applies to PHI regardless of form (paper, oral or electronic) Effective September 23, 2013, business associates and subcontractors of Covered Entities are subject to HIPAA Security Rule for electronic-phi

OCR HIPAA Audits First round will target 350 covered entities: health plans healthcare clearinghouses health care providers who conduct covered transactions cross-section of type and size of provider small practices are not exempt Second round will target 50 business associates identified from results of first round

HIPAA Audits Original Plan: 100 CEs audited on Privacy (Notice and Access) 100 CEs audited on Breach Notification (Content and timeliness of notifications) 150 CEs audited on Security (Risk analysis and risk management) All BAs will be audited on Security only 35 will be IT-related BAs 15 will be non-it related BAs

HIPAA Audits CEs will have 2 weeks to respond! information not timely produced will not be considered auditors will not have opportunity to contact CE for clarifications or to ask for additional information only get 1 chance to get response right! failure to submit documentation may lead to referral for regional compliance review all communications will be electronic, including submissions of information to OCR may be asked to produce risk analysis

HITECH Act confirmed applicability to Business Associates HIPAA Penalties HITECH Act increased Civil Penalties, with tiers based upon the culpability of the violator: OCR MUST conduct compliance review whenever a preliminary review indicates possible willful neglect Penalties range from $100 to $50,000 per violation Single failure can constitute multiple violations Self-correction within 30 days can reduce or avoid penalties Criminal Penalties: Fines and imprisonment; ranges vary by culpability

Per 45 CFR 160.404 Penalties onetary penalties for HIPAA violations iolation ategory* Each Violation All violations of an identical provision in a calendar year id not know $100 to $50,000 $1.5 million easonable cause $1,000 to $50,000 $1.5 million illful neglect orrected $10,000 to $50,000 $1.5 million illful neglect Not orrected $50,000 $1.5 million

HHS Settlement Agreements $4.8M settlement - Connecting personally-owned computer server to employer s network $1.2M settlement Returning leased copiers without wiping or destroying hard drive $3.25M settlement Throwing prescription labels and old prescriptions in dumpsters $7.1M settlements Theft/loss of unencrypted laptops, back-up tapes, USB drives $1M settlement Leaving patient schedules and billing encounter forms on subway $4.3M civil penalty/fine Failing to provide individuals with copies of their PHI and then failing to respond to investigators

Class Action Settlements

AvMed Settlement Background December 2009-2 company laptops containing PHI were stolen from a locked conference room at corporate building. AvMed investigated the incident and notified current and former members of possible compromise of their PHI November 16, 2010, four plaintiffs filed a class action lawsuit in Miami. AvMed twice moved to dismiss. Trial court granted both motions to dismiss, but the 11 th Circuit Court of Appeals reversed in part and affirmed in part the 2 nd dismissal order. Parties mediated the case

Plaintiffs Theories Negligence per se Breach of implied covenant of fair dealing Negligence Breach of contract Breach of implied contract Breach of fiduciary duty Restitution/Unjust enrichment The 11 th Circuit affirmed dismissal of negligence per se and breach of implied covenant of fair dealing counts and reversed dismissal of the other counts

Settlement Agreement $3,000,000 settlement fund to pay the following: Premium Overpayment Settlement Class - $10 for each year that the class member paid AvMed for health insurance coverage before the December 2009 incident, up to $30. reimburses class members for portion of premiums that plaintiffs say AvMed should have spent on adequate data protection class members do not need proof of injury Identity Theft Settlement Class reimburse class members for the amount of any proven actual, monetary loss shown by claimant to have occurred more likely than not as a result of the December 2009 incident. class members may also recover as members of the Premium Overpayment Settlement Class

Significance of AvMed First case where plaintiffs who could not demonstrate actual damages due to breach were allowed to share in settlement proceeds. Paying premium (or medical bill?) may be enough to establish entitlement to damages under theory of unjust enrichment

Springer v. Stanford Hospital, et. al. Stanford Hospital sent the encrypted personal information of patients to Multi-Specialty Collections for permissible business purposes Subcontractor of Multi-Specialty Collections (Corcino & Associates) used the personal information to create a document containing the personal information of almost 20,000 individuals which was subsequently posted on the Student of Fortune website between Sept. 2010 August 2011. One of the affected individuals, Shana Springer, filed a $20M class action lawsuit for violating California s Confidentiality of Medical Information Act. Defendants = Stanford Hospital & Clinics, Multi-Specialty

Springer v. Stanford Hospital, et. al. Settlement Agreement Defendants to pay $4,125,000 Stanford Hospital - $750,000 ($500,000 of which will fund training on patient privacy & security issues for business associates, $250,000 of which funds administrative expenses) Multi-Specialty Collections - $1,775,000 Corcino & Associates - $1,600,000 Affected individuals do not need to prove damages to collect under settlement If no one opts out of settlement, after deducting attorneys

Springer v. Stanford Hospital, et. al. Significance of settlement Plaintiffs and covered entities are starting to make business associates and subcontractors financially responsible for data breaches. In Stanford settlement documents, it says repeatedly that Stanford represents that it did not create the document that was posted to the website. that language is even included in the settlement notice sent to class members California law allows patients to sue any entity that negligently releases identifiable information, seeking minimum damages of $1,000, with no proof of actual damage required.

The FTC Joins the Mix

The Role of the FTC

Accretive Health Theft of unencrypted laptop containing PHI of 23,000 patients from employee s car. The Federal Trade Commission (FTC) filed a complaint alleging Accretive failed to provide reasonable and appropriate security for the personal information of consumers resulting in the data breach Accretive created unnecessary risks of unauthorized access to personal information by transporting laptops containing personal information in a manner that made them vulnerable to theft Accretive failed to adequately restrict access to personal

Agreed to stop doing business in Minnesota for at least 6 years Accretive Health Settlement 20 year settlement agreement Establish and maintain comprehensive information security program Program must be evaluated initially and then every 2 years for 20 years FTC closed its investigation into Accretive s conduct in collecting defaulted debts in hospital emergency rooms Previously, Accretive settled with Minnesota Attorney General who sued under HIPAA for the same breach Accretive paid $2.5 million to settle

GMR Transcription Services FTC filed complaint against GMR and its officers, individually, because they control the policies and acts of the company. FTC alleged that GMR hired contractors to transcribe audio files of GMR customers Due to inadequate security, medical transcript files prepared between by GMR s service provider located in India were indexed by a major internet search engine and were publicly available to anyone using the search engine. GMR made representations regarding its privacy and security policies & procedures

GMR Transcription Services Violations of the FTC Act Representations that GMR implemented reasonable and appropriate security measures to prevent unauthorized access to personal information in audio and transcript files were false and misleading and constitute a deceptive act or practice Representations that GMR took reasonable measures to oversee their service providers to ensure service providers implemented reasonable & appropriate security measures were false and misleading and constitute a deceptive act or practice GMR failed to use reasonable and appropriate measures to prevent unauthorized access to personal information, such practices caused or are likely to cause substantial injury to

GMR Transcription Services Terms of Settlement & Consent Agreement GMR is prohibited from misrepresenting the extent to which it maintains the privacy and security of personal information GMR must establish a comprehensive information security program that will protect consumers sensitive personal information GMR must have the security program evaluated initially and every 2 years by a certified third party Settlement agreement will be in force for 20 years 50 th data security case that FTC has settled in last 12 years

Payments MD Case 20 year settlement agreement Can t misrepresent extent to which it uses, maintains, and protects the privacy, confidentiality, security or integrity of covered information collected from consumers Prominently disclose to consumers its practices for collecting, using, storing, disclosing or sharing health information before seeking authorization to collect health information from 3 rd parties Obtain affirmative express consent before collecting health information from 3 rd parties Destroy all covered information collected pursuant to an authorization signed before the settlement agreement Make available to FTC documents relating to compliance with order

LabMD & Wyndham Cases Challenges to FTC s authority to oversee data breaches LabMD says it is subject to HIPAA so FTC should MYOB 11 th Circuit recently told LabMD it has to the administrative proceeding before the FTC before it can come to court Wyndham case trial court denied Wyndham's motion to dismiss FTC complaint arising out of breach of Wyndham's computer system. The denial of the MTD is on appeal in 3 rd Circuit Section 5 and the "unfair acts" language does not extend to "unreasonable data security practices FTC hasn't provided fair notice of what are reasonable security practices (i.e., there is no FTC analog to HIPAA security rules).

State Attorney Generals

California v. Kaiser Foundation Settlement Agreement $150,0000 settlement payment Implement data security improvements - improve encryption policies, internal audit of extent of employee access to sensitive personal information, and report audit results to Attorney General Timely notification when there is breach of the security of Kaiser s system 4 months is too long! Provide notice on a rolling basis following discovery of a breach provide notice as soon as reasonably possible after identifying a portion of total individuals affected by a

FL Information Protection Act Florida Statute 501.171, effective July 1, 2014 Requires proper notice to be provided to affected consumers within 30 days unless good cause is shown for an additional 15- day delay; Requires proper notice to be provided to the AG for a breach affecting 500 or more individuals in Florida; Defines what information must be included in a proper notice; Expands the definition of personal information to include health insurance, medical information, financial information and online account information such as security questions and answers, email addresses and passwords; Expands the data breach statute to include state governmental entities and their instrumentalities.

FL Information Protection Act Requires businesses, state government entities, and thirdparty agents to take reasonable measures to protect data, including disposal of customer records; Requires the AG to provide an annual report to the Legislature regarding data breaches by governmental entities; and Authorizes enforcement actions under Florida s Unfair and Deceptive Trade Practices Act for any statutory violations. Burden of Proof change: Moving statute to FDUTPA and away from the criminal code lowers the government s burden of proof.

FL Information Protection Act Implications for Healthcare Providers Civil penalties could be imposed in the amount of $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period. Potential significant effect on Florida health care providers: currently HIPAA-covered entities have 60 days to notify individuals of a health information breach and may be able to avoid sending notice if they demonstrate that it is unlikely the information has been compromised. However, under FIPA, to avoid notifying the patient, a health entity first has to consult with law enforcement. The statute does state that notice provided in accordance with federal rules is deemed to be in compliance. That may help in situations where HIPAA does not require notice because there is low probability that the information has been compromised. HIPAA-covered entities in Florida will need to update their breach policies to ensure compliance. This is a good time to strengthen existing privacy and security policies. Keep in mind that many entities that have PHI, but are not HIPAA-covered entities will now have security compliance standards to follow. If your business has PHI (or PII) but is not a covered entity, FIPA may force you to significantly alter your business process.

HIPAA vs. FIPA Confusion? FIPA requires that affected individuals must be notified of the breach within thirty (30) days. Much more stringent than the sixty (60) day HIPAA requirement for breach notification FIPA provides an exception: Notify individuals in accordance with the HIPAA rules What does this mean?

Florida Litigation

Carsten v. University of Miami Theories in Complaint Negligence breach of duty to protect and safeguard personal information and to provide timely notice of breach of unencrypted PII Willful violation of the federal Fair Credit Reporting Act willful failure to maintain protections to protect consumer report information Negligent violation of the federal Fair Credit Reporting Act Violation of the Florida Deceptive and Unfair Trade Practices Act UM held itself out as providing secure online environment and protecting PII

Carsten v. University of Miami Settlement Agreement: UM pays up to total of $100,000 for all valid claims submitted UM pays up to $90,000 for attorneys fees, costs, expenses UM pays $1,500 incentive award to lead plaintiff Designate Security Program lead to oversee PHI security Perform risk assessment 1 year, 3 years, and 5 years after settlement date Implement security measures to minimize risk to PHI Use reasonable measures to select and retain vendors capable of maintaining security of PHI. No admission of wrongdoing by UM

Breach of Implied Covenant of Good Faith/Fair Dealing breach of obligation to follow HIPAA Curry v. AvMed (again) Theories in Complaint Negligence - breached duty to safeguard sensitive information Breach of Contract - contractual obligation to comply with HIPAA and protect sensitive information Breach of Implied Contracts - implied contract obligating AvMed to protect information Restitution/Unjust Enrichment - portion of monthly premiums was used for data security and AvMed failed to adopt data management and security measures mandated by industry standards Negligence Per Se - violation of 395.3025 Breach of Fiduciary Duty - AvMed was guardian of members sensitive information

Hospital employees involved in the scheme were not authorized to access the sensitive information of all of these patients Faircloth v. Adventist Health Syst. Theories in Complaint Breach of Contract Breach of Implied Contract Restitution/Unjust Enrichment Breach of Fiduciary Duty Lawyer referral services and chiropractors paid ER intake staff at hospital to access hospital system s database to identify patients who presented to the hospital after being injured in car accidents

Faircloth v. Adventist Health Syst. Case is Dismissed by Federal Court Court finds there is no subject matter jurisdiction claims are state law claims and invoking violations of HIPAA does not confer federal jurisdiction a state law claim in which HIPAA is implicated as part of an element does not arise under federal law. HIPAA does not provide a private right of action

What Does the Future Hold? More litigation/enforcement from more sources: OCR FTC State AGs enforcing HIPAA and state privacy laws Class actions in state and federal courts Greater risk for covered entities, business associates, and subcontractors Covered entities will look to business associates/subcontractors who are cause of data breach Better protection of the privacy and security of PHI?????

What To Do?

Prepare for HIPAA Audits Perform and document risk analysis as required by Security Rule (and update periodically) Implement written policies and procedures to address risks identified in analysis Make sure all HIPAA policies are up-to-date, i.e., satisfy Omnibus Rule Make sure breach analysis and breach notification policies are current Identify all business associates and update your BAAs DOCUMENT, DOCUMENT, DOCUMENT!

An Ounce of Prevention.... Keep current with emerging technologies and threats Train your employees about importance of data security (paper and electronic) Train again! Insure against the risk cyber risk insurance Have breach response plan in place before something happens identify potential vendors in advance

And don t forget FIPA Evaluate your current policies and security measures for electronic personal information and update them as necessary; Develop new policies or update existing policies for identifying breaches and providing appropriate notification to affected individuals. Ensure that your company is using proper methods to destroy or dispose of personal information.

And don t forget FIPA, Part 2 Review and update your agreements with third party agents who maintain or transmit electronic personal information to address the new requirements of 501.171, Florida Statutes, regarding notification of breaches suffered by the third party agent and what precautions the third party agent takes to safeguard and properly destroy data. Review your liability policies to determine what coverage is available in the event of a breach. The cost to respond to a data breach continues to climb and many insurers are revising their CGL policies to exclude coverage for data breaches. Separate cyber liability policies are available in the marketplace.