Message sent and received: First HIPAA settlement involving a business associate – a cautionary tale
The math is eye-opening — a $650,000 settlement for breach affecting 412 people. In the first HIPAA settlement involving a “business associate,” HHS’s Office of Civil Rights (OCR) has sent a strong message to all business associates about the importance of complying with HIPAA’s privacy and security rules.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides management and information technology services to skilled nursing facilities, is a business associate under HIPAA because performed certain services using protected health information (PHI) on behalf of a HIPAA “covered entity” (a description of covered entities is here and a description of business associates is here). In 2014 a smartphone provided by CHCS to an employee was stolen. The smartphone had PHI of 412 patients and was neither encrypted nor password-protected. Read more…
Your weakest cyber security leak may be outside your own network. In another demonstration of how an organization can face significant financial and reputational exposure from another’s failure of cyber security, Massachusetts General Hospital announced on this week that one of its vendors suffered a cyber breach — on the vendor’s own network — that exposed more than 4,000 records of MGH patients. Some of the compromised information may have included patient names, dates of birth and Social Security numbers.
Most people were relieved when investigators determined that the recent electronic disruptions at the New York Stock Exchange and United Airlines were caused by internal glitches and not by hackers. The NYSE system crash, caused by a faulty software upgrade, and the United Airlines outage, caused by a faulty router, received great attention as pictures of (and tweets by) idle traders and travelers appeared seemingly everywhere.
Because they involved computers and networks, these outages were discussed by the media with the vocabulary normally used to describe “cyber” events. That’s not surprising, given the initial fear that the NYSE crash in particular was caused by hacking. Read more…
When confidential personal or medical information is compromised or a computer network is breached, the event is typically described as a “failure” of data or network security. That is not an attractive characterization in realms where blame is assigned. Facing predicted increases in cyber-related shareholder lawsuits, corporate boards and their legal advisers have sought to determine what corporate directors and officers must do to avoid the personal liability that can result from shareholder claims. In an earlier blog post and white paper, I discussed the changing D&O risks associated with cybersecurity exposures. WGA’s Cyber Risk Hub also has an extensive section on cybersecurity corporate governance. Read more…
In a sluggish world economy, hacking has unfortunately been a robust business. Recent reports issued by the Ponemon Institute, Symantec and others have detailed the stunning growth in cybersecurity breaches (such as a greater than 60% increase in breaches in 2013) and given vivid support to the now-common warning about breaches: “It’s not if, it’s when.”
The avalanche of cyber breaches has alarmed companies — and insurers. Cyber liability exposures include the following, among others:
- First-party costs incurred in dealing with the breach (forensics, legal, notification, credit monitoring, call center, etc.)
- Third-party exposures to individuals and entities affected by the breach
- Regulatory enforcement (SEC, FTC)
- Intellectual property exposures (often via corporate espionage)
- Reputational exposures
- Extortion exposures
- Theft exposures (such as hacks of bank accounts or phishing-induced erroneous transfers of money)
- Business interruption costs
- Data restoration costs
This time the smart money was right. As most readers know, in the Halliburton case the Supreme Court was presented with a challenge to its 1988 case (Basic v. Levinson) that made many shareholder class-action securities cases possible. Plaintiffs’ lawyers hoped that the Court would uphold Basic, while business groups advocated reversal. Most who heard oral arguments before the Court felt that the justices were struggling to find an acceptable compromise — limiting the scope of Basic but not requiring each and every plaintiff to show individual reliance on an misrepresentation. The Court found that middle ground. It gave defendant companies an opportunity early in a purported securities class action case to convince judges to deny class certification to plaintiffs — and thereby prevent the claims from moving forward. Read more…