Taking proactive measures to have strong security policies, plans, and personnel in place goes a long way toward mitigating company liability in a class-action suit, experts say.
This article originally appeared in Briefings on HIPAA.
If your organization experiences a data breach—an increasingly likely scenario—and PHI is exposed, chances are you will be hit with a lawsuit in short order.
There's not much you can do about that, just like it's impossible to prevent every criminal attack. What you can do, though, is take steps to minimize the likelihood of being found liable for damages in court, says Reece Hirsch, Esq., a partner and regulatory attorney at Morgan Lewis in San Francisco, and a BOH editorial advisory board member.
Hirsch says companies should have two things in place as part of standard policy and procedure: an evolving breach response plan and an incident response team that meets on a regular basis. While class-action suits haven't gained much traction with judges yet—except in cases of clear financial damage to consumers—most of the claims boil down to some form of alleged negligence, he says.
"Given the increasingly sophisticated cyberthreats that companies face … you cannot have perfect security and you cannot completely insulate yourself from these types of events, but what you can do is show you acted reasonably and took reasonable measures to prevent a breach and not make yourself a target," Hirsch says.
Organizations demonstrate this with a good breach response plan to show they've identified the problem, mitigated damage, notified victims, and taken further action as necessary, he says. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications, and investor relations. Part of the team's role is to analyze risks to data, data flow, and worst-case scenarios.
"Everything needs to be encrypted, data at rest as well as data in transit, which is something HIPAA specifically points out," says Jan McDavid, Esq., the compliance officer and general legal counsel at HealthPort, an Atlanta-based healthcare services firm. McDavid, who is a regular speaker on this subject, agrees that it's essential to have proper security policies as well as dedicated staff to regularly review systems and respond to incidents.
Comprehensive risk analyses, which HIPAA requires, should not just be done after a breach to assess the extent of damages after private data is "let out the door," she says, but up front as well to identify the risks. Inevitably, though, healthcare organizations with large electronic databases will likely experience a data breach.
"Once [companies] are put on notice that something has happened, they need to immediately stop the bleeding," McDavid says. Even though public breach notification may not be required on day one, the company should immediately shut off or fix whatever happened so it can't occur again, she says.
One of the issues she sees often is that as healthcare organizations struggle to keep pace with technology, security is affected too. In the rush to automation and interoperability with limited funds available, parts of older systems and databases may get upgraded and replaced, but in the process, new vulnerabilities may be created, McDavid says. It seems organizations don't always realize how their systems interact, leading them to overlook peripheral connections that may allow access to protected systems, she adds.
Federal legislation that called for providers to implement EHRs didn't contain the funding to help facilities make the switch—those incentives came later. Many of the hospitals McDavid works with have a hodgepodge of computer systems that were installed piecemeal as the hospitals received technology funding, and that may inadvertently lead to vulnerabilities.
Taking proactive measures to have strong security policies, plans, and personnel in place goes a long way toward mitigating company liability in a class-action suit, Hirsch and McDavid say.
Lawsuits may be unavoidable
"If people are going to sue you, they're going to sue you," Hirsch says. "But [proactive preparation] will position the company much better to defend the lawsuit." And even more importantly, he adds, it may deflect some of the greatest damage to a company's reputation and image, which occurs in the "court of public opinion" and in news media reports.
McDavid agrees. "Their name becomes mud when the news is out that they've had a major breach," she says, although she believes the public has become oversaturated with the plethora of recent breaches in the news to the point that such incidents are no longer viewed as alarming or unusual.
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, and a BOH editorial advisory board member, says the breach announced by Anthem, Inc., in February 2015 actually offers a good example of how to take the right approach to a data breach. Apgar doesn't believe the health insurer took a big hit to its reputation because it acted relatively quickly to put security experts on the case and notify consumers and law enforcement authorities about the breach as required by HIPAA security regulations. In addition, he says, Anthem had relatively good security protections; however, those protections could only slow down a sufficiently skilled hacker, not stop the breach from occurring.
By comparison, Apgar says the class-action suits against Community Health Systems, Inc., are for actual negligence in responding to a known security vulnerability. The Franklin, Tennessee-based company announced hackers accessed data of 4.5 million individuals who were referred to or received care from physicians affiliated with its system over the last five years, according to an August 18, 2015, filing with the U.S. Securities and Exchange Commission.
Anthem disclosed on February 4 that it uncovered a massive breach affecting 80 million people that had occurred two months earlier. Less than 12 hours later, an Indianapolis attorney was already filing a class-action suit against the health insurer for failure to secure customers' data, negligence, breach of contract, and failure to notify victims in a timely manner.
In the days and weeks that followed, the class-action suits started to pile up across the country—dozens of complaints argued Anthem was lax in securing members' personal data, which wasn't encrypted. Plaintiffs argued Anthem only implemented reasonable security measures after it discovered the breach January 29—more than a month after the incident occurred.
Even if it were eventually proven in court that Anthem didn't follow industry best practices to secure data or that the breach was due to negligence, the bigger question is whether the plaintiffs can demonstrate harm as a result, Apgar says.
Building up case law
Currently, legal precedent favors the defendants, but that's an evolving process too.
McDavid explains there is no established federal law that stipulates companies are liable for damages just because they experienced a data breach that exposed clients' or patients' personal information.
That's where class-action attorneys enter the picture, she says. They're trying to make case law by obtaining favorable court opinions to set a legal precedent, but it's an uphill battle, she says. Under many federal and state laws, victims have to prove they were harmed in order to win damages.
"In the majority of cases now, the courts are ruling that you cannot certify a class unless you can prove the class has damages," McDavid says. "What that means is that even if you've breached 2 million records, if you don't have any notice that any of that [data] has been misused, then in most courts right now you have no damages."
In April, a federal judge dismissed a class-action suit against Horizon Blue Cross Blue Shield of New Jersey, ruling the plaintiffs didn't demonstrate they suffered financial harm. Two company laptop computers were stolen in 2013 from the health insurer's Newark headquarters, and nearly 840,000 customers' personal information was potentially exposed.
McDavid also points to a May Pennsylvania case where a county judge dismissed a suit from 62,000 employees of the University of Pittsburgh Medical Center following a criminal breach of the hospital's payroll database. Several hundred employees were victims of tax fraud, but the judge ruled the plaintiffs didn't prove that they were all financially harmed, that the medical center was negligent in its actions, or that there was any contract holding the university liable for security breaches.
What usually happens, Hirsch explains, is that the parties reach a settlement outside of court, and that's where many of the large payouts to affected consumers or patients happen.
Finding other ways in
It's becoming increasingly common, however, for class-action attorneys to file suit for violations of state privacy and security laws or various other federal statutes, which may contain stronger protections than HIPAA, McDavid says. Arguments under those laws have been more successful at convincing courts that the victims still have legal standing to sue even if they haven't experienced actual harm.
Apgar notes that 2010 contained an early example of this, when the Connecticut Attorney General's office sued Health Net of Connecticut in federal court for violations of HIPAA and state privacy protections regarding personal data. The attorney general's office alleged the health insurer failed to secure PHI and financial information prior to a 2009 data breach in which a computer disk drive was lost that contained unencrypted records on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. Health Net also allegedly delayed notifying plan members and law enforcement authorities until several months after it discovered the breach.
Ultimately, the company agreed to a settlement that included the following:
- Extended credit monitoring for affected plan members
- Increased identity theft insurance and reimbursement for security freezes
- An internal corrective action plan for stronger security measures
- A $250,000 state fine
- A $500,000 contingent payment to the state if it was established that affected individuals later became victims of identity theft or fraud
This was the first legal action taken by an attorney general since the HITECH Act in 2009 authorized state attorney generals to enforce violations of HIPAA.
Federal laws, such as the Fair Credit Reporting Act (FCRA), are also becoming an avenue for class-action attorneys. Hirsch says although it's not related to healthcare, one case winding its way through the U.S. Supreme Court—Spokeo, Inc. v. Robins—could change the legal landscape if the nation's highest court issues an opinion against the online company.
In February 2014, federal appellate judges for the 9th Circuit reversed a district court ruling that had originally dismissed plaintiff Thomas Robins' class-action suit alleging willful violations of the FCRA. He claimed Spokeo, an online information gathering service, published and marketed inaccurate personal information about him on its website, which he had no control over. While not claiming actual financial damages, he argued that since he was unsuccessful in securing employment, he was concerned the inaccurate report was affecting his ability to obtain employment, insurance, credit, etc.
The appellate panel found Robins did have constitutional standing to sue under the FCRA. This speaks to the same issues that are raised by victims of healthcare data breaches, who worry they will suffer financial harm from the exposure of their PHI, Hirsch says. Large technology companies urged the Supreme Court to take up an appeal of the 2014 decision, fearing it could cripple the industry by paving the way for billions of dollars in damages to consumers, he says.
In addition, there's another federal healthcare data breach suit—Smith, et al. v. Triad of Alabama—making a case for violations under the FCRA that will have big implications if the court finds the plaintiffs have legal standing for a class-action suit, McDavid says.
"They can keep it in court if the judge buys into their theory that they don't have to have damages in order to sue," she says.
This article originally appeared in Briefings on HIPAA.