In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
There is no doubt that companies face unprecedented volume and variation in both disruptive and intrusive cyberattacks on their networks. Among the different attack methodologies today, ransomware is quickly becoming a major concern for CISOs and security professionals. According to Interagency Guidance from the U.S. Government, there are currently over 4,000 daily ransomware attacks – up over 300% from the 1,000 daily ransomware attacks experienced in 2015.
Ransomware can potentially hold hostage critical corporate, customer and employee data, but in-house legal and communications teams are also concerned about whether these attacks trigger notification rules. The Department of Health and Human Services Office of Civil Rights (“HHS OCR”), which enforces the HIPAA Security and Breach Notification Rules, stated in recently issued guidance that ransomware incidents may be considered a breach that require notification. The guidance is a poignant reminder to all companies, whether regulated by HIPAA or not, to carefully consider how evolving attack methodologies can directly implicate incident response strategies and compliance obligations.
This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.
Officials at the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) have recently selected a vendor to conduct the second wave of HIPAA audits. These so-called “Phase 2 Audits” are set to commence on the heels of two important HHS OCR enforcement proceedings alleging violations of the HIPAA Security Rule:
- St. Elizabeth’s Medical Center, a tertiary care hospital in Massachusetts, allegedly failed to conduct a risk assessment before its employees used a cloud document-sharing application and failed to respond to a security incident in a timely manner, leading to a $218,400 fine and Corrective Action Plan (CAP). Orrick reported on this case in a previous alert.
- Cancer Care Group (CCG), one of the largest privately owned radiation oncology groups in the country, recently signed a $750,000 settlement and CAP stemming from the theft of PHI belonging to approximately 55,000 patients stored on a stolen laptop and unencrypted backup media. According to OCR, the investigation uncovered that prior to the security incident, CCG failed to conduct an enterprise-wide risk assessment, and failed to implement a policy addressing the removal of unencrypted devices containing ePHI from company facilities – two issues that OCR identified as key contributing factors to the data breach. The CAP requires CCG to conduct risk analysis regarding its handling of ePHI, to develop and implement a risk mitigation plan addressing certain identified risks, and to review and update security policies, procedures and employee training.
Last month, the U.S. Department of Health and Human Services Office for Civil Rights announced that it had entered into a settlement agreement with St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the nonadmission settlement, SEMC agreed to pay $218,400 and enter into a one-year corrective action plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information in a cloud document-sharing application.
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it had entered into a settlement agreement with St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the non-admission settlement, SEMC agreed to pay $218,400 and enter into a one-year Corrective Action Plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information (ePHI) in a cloud document sharing application. Covered entities and business associates that increasingly leverage cloud services for storing and managing Electronic Health Records (EHR), and ePHI more generally, should take notice of this development for a number of reasons. First, it underscores the importance of conducting security assessments on, and evaluations of, cloud services before allowing employees to use them to manage ePHI and EHR. Second, it demonstrates the need to create and enforce clear policies prohibiting use of unapproved and untested cloud services. Finally, the settlement appears to have stemmed from an employee whistleblower and highlights how such whistleblowers will become more prominent considerations in cyber and data security investigations and enforcement actions.
The American health care industry is under attack by sophisticated hackers seeking access to electronic medical records. Since January, three health insurers have announced major data breaches involving millions of records, with the largest one at Anthem Inc., involving nearly 80 million records. There have been dozens of smaller breaches as well. According to statistics kept by the U.S. Department of Health and Human Services, in 2009 the health care sector experienced 18 data breaches involving 500 or more individuals. In the first three months of 2015, more than 50 such breaches were reported.