Message sent and received: First HIPAA settlement involving a business associate – a cautionary tale
The math is eye-opening — a $650,000 settlement for breach affecting 412 people. In the first HIPAA settlement involving a “business associate,” HHS’s Office of Civil Rights (OCR) has sent a strong message to all business associates about the importance of complying with HIPAA’s privacy and security rules.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides management and information technology services to skilled nursing facilities, is a business associate under HIPAA because performed certain services using protected health information (PHI) on behalf of a HIPAA “covered entity” (a description of covered entities is here and a description of business associates is here). In 2014 a smartphone provided by CHCS to an employee was stolen. The smartphone had PHI of 412 patients and was neither encrypted nor password-protected. Read more…
Your weakest cyber security leak may be outside your own network. In another demonstration of how an organization can face significant financial and reputational exposure from another’s failure of cyber security, Massachusetts General Hospital announced on this week that one of its vendors suffered a cyber breach — on the vendor’s own network — that exposed more than 4,000 records of MGH patients. Some of the compromised information may have included patient names, dates of birth and Social Security numbers.
On Monday a Federal appeals court in Virginia upheld a lower federal court ruling that held a Commercial General Liability (CGL) may in fact cover a data breach. The legal battle involves the Personal Injury insuring agreement and the coverage under the Personal Injury coverage part is often ambiguous.
In the underlying case, The Travelers Indemnity Company of America was required to provide a defense for its insured, Portal Healthcare Solutions, LLC, for an underlying data breach class action filed against Portal by customers whose private medical information was posted on the intranet.
In a day and age when hackers are persistently attempting to break into networks, an organization that fails to encrypt its sensitive data is taking a huge risk with both its financial resources and reputation. Unprotected data is a legitimate business problem that is no longer confined to IT, especially when it comes to healthcare organizations where the loss of sensitive unprotected data can result in fraud, identity theft, and stolen financial resources from employees and customers. In these cases the burden or blame ultimately falls upon the most senior executive leaders at an organization. And when it comes to the senior teams knowing their areas of risk, encrypting data and building protections have become the latest concern in evaluating them. Read more…
The President, industry leaders, and lawmakers visited the tech-hub of Stanford University earlier this month for an official White House Summit on Cybersecurity and Consumer Protection. The discussions focused on increasing collaboration between the government and the private sector in order to prevent potentially crippling data breaches. The administration hopes that this will encourage Congress to pass cybersecurity legislation. Here are a few key takeaways from the summit:
- Cybersecurity is an issue for all sectors of the economy.
The Identity Theft Resource Center found that 85 million records were exposed last year both in the public and private sectors. Cyber attackers trumped terrorists as the #1 threat to national security last year while data breaches on companies such as Sony Pictures Entertainment, Target, Home Depot, and most recently, insurance giant Anthem Inc., resulted in costly losses.
The nation’s second largest health insurer, Anthem (which includes several major Blue Cross and Blue Shields brands), has reported a major data breach. Last Wednesday, security personnel discovered a hack in which cyber thieves accessed the names, birth dates, social security numbers, addresses and member IDs of up to 80 million current and former policy holders. Anthem’s President and CEO, Joseph R. Swedish, in a letter to its current and former members said that through its initial analysis of the breach “there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.” Nevertheless, the impact of this breach is significant. Read more…
In a sluggish world economy, hacking has unfortunately been a robust business. Recent reports issued by the Ponemon Institute, Symantec and others have detailed the stunning growth in cybersecurity breaches (such as a greater than 60% increase in breaches in 2013) and given vivid support to the now-common warning about breaches: “It’s not if, it’s when.”
The avalanche of cyber breaches has alarmed companies — and insurers. Cyber liability exposures include the following, among others:
- First-party costs incurred in dealing with the breach (forensics, legal, notification, credit monitoring, call center, etc.)
- Third-party exposures to individuals and entities affected by the breach
- Regulatory enforcement (SEC, FTC)
- Intellectual property exposures (often via corporate espionage)
- Reputational exposures
- Extortion exposures
- Theft exposures (such as hacks of bank accounts or phishing-induced erroneous transfers of money)
- Business interruption costs
- Data restoration costs