Recent Developments in Privacy/Security Litigation

Recent

Developments in

Privacy/Security

Litigation

Elizabeth F. Hodge



HIPAA



Office for Civil Rights



State Attorneys General



Federal Trade Commission (FTC)



State privacy laws



Florida Information Protection Act



Private lawsuits



State Insurance Commissioners

Privacy & Security

Enforcement



Financial cost to entity if there is a breach

Staff time

Outside consultants

Notification to individuals

Credit monitoring

Fines/penalties



Defending ensuing litigation



Reputational harm to entity if there is a breach



$145 – average cost per record involved in a breach



$509,237 – average notification cost per breach in U.S.



$1,599,996 – average post data breach cost in U.S. (for

remedial action)



$5.85 million – average cost of a data breach in the

U.S.



Costs of healthcare breach typically higher than the

average cost

 Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis

HIPAA

 “Covered entities” are required to protect the confidentiality, integrity and availability of protected health information (PHI) of individuals

 Health plans (including self-funded employer health plans)  Health care clearinghouses

 Health care providers conducting covered transactions  Applies to PHI regardless of form (paper, oral or electronic)  Effective September 23, 2013, “business associates” and

“subcontractors” of Covered Entities are subject to HIPAA Security Rule for electronic-PHI



First round will target 350 covered entities:



health plans



healthcare clearinghouses



health care providers who conduct covered

transactions



cross-section of type and size of provider



small practices are not exempt



Second round will target 50 business associates

identified from results of first round



Original Plan:



100 CEs audited on Privacy (Notice and Access)



100 CEs audited on Breach Notification (Content and

timeliness of notifications)



150 CEs audited on Security (Risk analysis and risk

management)



All BAs will be audited on Security only



35 will be IT-related BAs



15 will be non-IT related BAs

 CEs will have 2 weeks to respond!

 information not timely produced will not be considered

 auditors will not have opportunity to contact CE for clarifications or to ask for additional information

 only get 1 chance to get response right!

 failure to submit documentation may lead to referral for regional compliance review

 all communications will be electronic, including submissions of information to OCR

 may be asked to produce risk analysis

 HITECH Act increased Civil Penalties, with tiers based upon the culpability of the violator:

 OCR MUST conduct compliance review whenever a preliminary review indicates possible willful neglect

 Penalties range from $100 to $50,000 per violation

 Single failure can constitute multiple violations

 Self-correction within 30 days can reduce or avoid penalties

Criminal Penalties:

 Fines and imprisonment; ranges vary by culpability

 HITECH Act confirmed applicability to Business Associates

Penalties

Monetary penalties for HIPAA violations

Violation category*

Each Violation All violations of an identical

provision in a calendar year

Did not know $100 to $50,000 $1.5 million Reasonable cause $1,000 to $50,000 $1.5 million Willful neglect –

corrected

$10,000 to $50,000 $1.5 million Willful neglect – Not

corrected

$50,000 $1.5 million

 $4.8M settlement - Connecting personally-owned computer server to employer’s network

 $1.2M settlement – Returning leased copiers without wiping or destroying hard drive

 $3.25M settlement – Throwing prescription labels and old prescriptions in dumpsters

 $7.1M settlements – Theft/loss of unencrypted laptops, back-up tapes, USB drives

 $1M settlement – Leaving patient schedules and billing encounter forms on subway

 $4.3M civil penalty/fine – Failing to provide individuals with copies of their PHI and then failing to respond to investigators

Class Action

Settlements

 December 2009 - 2 company laptops containing PHI were stolen from a locked conference room at corporate building.

 AvMed investigated the incident and notified current and former members of possible compromise of their PHI

 November 16, 2010, four plaintiffs filed a class action lawsuit in Miami.

 AvMed twice moved to dismiss.

 Trial court granted both motions to dismiss, but the 11th _Circuit Court of Appeals reversed in part and affirmed in part the 2nd dismissal order.

 Parties mediated the case

AvMed Settlement

 Negligence per se

 Breach of implied covenant of fair dealing  Negligence

 Breach of contract

 Breach of implied contract  Breach of fiduciary duty

 Restitution/Unjust enrichment

 The 11th _{Circuit affirmed dismissal of negligence per se and}

breach of implied covenant of fair dealing counts and reversed dismissal of the other counts

 Premium Overpayment Settlement Class - $10 for each year

that the class member paid AvMed for health insurance coverage before the December 2009 incident, up to $30.

 reimburses class members for portion of premiums that plaintiffs say AvMed should have spent on adequate data protection – class members do not need proof of injury

 Identity Theft Settlement Class – reimburse class members

for the amount of any proven actual, monetary loss shown by claimant to have occurred more likely than not as a result of the December 2009 incident.

 class members may also recover as members of the

Premium Overpayment Settlement Class

Settlement Agreement



First case where plaintiffs who could not demonstrate

actual damages due to breach were allowed to share in

settlement proceeds.



Paying premium (or medical bill?) may be enough to

establish entitlement to damages under theory of unjust

enrichment

 Stanford Hospital sent the encrypted personal information of patients to Multi-Specialty Collections for “permissible

business purposes

 Subcontractor of Multi-Specialty Collections (Corcino & Associates) used the personal information to create a document containing the personal information of almost 20,000 individuals which was subsequently posted on the Student of Fortune website between Sept. 2010 – August 2011.

 One of the affected individuals, Shana Springer, filed a $20M class action lawsuit for violating California’s

Confidentiality of Medical Information Act.

 Defendants = Stanford Hospital & Clinics, Multi-Specialty Collections and Corcino & Associates

Springer v. Stanford Hospital, et.

al.

 Defendants to pay $4,125,000

 Stanford Hospital - $750,000 ($500,000 of which will fund training on patient privacy & security issues for business associates, $250,000 of which funds administrative

expenses)

 Multi-Specialty Collections - $1,775,000  Corcino & Associates - $1,600,000

 Affected individuals do not need to prove damages to collect under settlement

 If no one opts out of settlement, after deducting attorneys’ fees each person will receive approximately $100

Springer v. Stanford Hospital, et.

al.

 Plaintiffs and covered entities are starting to make business associates and subcontractors financially responsible for data breaches.

 In Stanford settlement documents, it says repeatedly that

Stanford represents that it did not create the document that was posted to the website.

 that language is even included in the settlement notice sent to class members

 California law allows patients to sue any entity that negligently releases identifiable information, seeking

minimum damages of $1,000, with no proof of actual damage required.

Springer v. Stanford Hospital, et.

al.

The FTC Joins the

Mix

 Theft of unencrypted laptop containing PHI of 23,000 patients from employee’s car.

 The Federal Trade Commission (FTC) filed a complaint alleging

 Accretive failed to provide reasonable and appropriate security for the personal information of consumers

resulting in the data breach

 Accretive created unnecessary risks of unauthorized access to personal information by transporting laptops containing personal information in a manner that made them vulnerable to theft

 Accretive failed to adequately restrict access to personal information based on employee’s need for the information

Accretive Health

 20 year settlement agreement

 Establish and maintain comprehensive information security program

 Program must be evaluated initially and then every 2 years for 20 years

 FTC closed its investigation into Accretive’s conduct in collecting defaulted debts in hospital emergency rooms

 Previously, Accretive settled with Minnesota Attorney General who sued under HIPAA for the same breach

 Accretive paid $2.5 million to settle

 Agreed to stop doing business in Minnesota for at least 6 years

 FTC filed complaint against GMR and its officers,

individually, because they control the policies and acts of the company.

 FTC alleged that

 GMR hired contractors to transcribe audio files of GMR customers

 Due to inadequate security, medical transcript files

prepared between by GMR’s service provider located in India were indexed by a major internet search engine and were publicly available to anyone using the search engine.  GMR made representations regarding its privacy and

security policies & procedures

 Representations that GMR implemented reasonable and

appropriate security measures to prevent unauthorized access to personal information in audio and transcript files were false

and misleading and constitute a deceptive act or practice

 Representations that GMR took reasonable measures to

oversee their service providers to ensure service providers

implemented reasonable & appropriate security measures were

false and misleading and constitute a deceptive act or practice

 GMR failed to use reasonable and appropriate measures to

prevent unauthorized access to personal information, such

practices caused or are likely to cause substantial injury to

consumers, and the practice is an unfair act or practice.

GMR Transcription Services

 GMR is prohibited from misrepresenting the extent to which it maintains the privacy and security of personal information

 GMR must establish a comprehensive information security

program that will protect consumers’ sensitive personal information

 GMR must have the security program evaluated initially and every 2 years by a certified third party

 Settlement agreement will be in force for 20 years

 50th _{data security case that FTC has settled in last 12 years}

GMR Transcription Services

 20 year settlement agreement

 Can’t misrepresent extent to which it uses, maintains, and protects the privacy, confidentiality, security or integrity of covered

information collected from consumers

 Prominently disclose to consumers its practices for collecting, using, storing, disclosing or sharing health information before seeking authorization to collect health information from 3rd _parties

 Obtain affirmative express consent before collecting health information from 3rd _parties

 Destroy all covered information collected pursuant to an authorization signed before the settlement agreement

 Make available to FTC documents relating to compliance with order

 Challenges to FTC’s authority to oversee data breaches

 LabMD says it is subject to HIPAA so FTC should MYOB

 11th _{Circuit recently told LabMD it has to the administrative} proceeding before the FTC before it can come to court

 Wyndham case – trial court denied Wyndham's motion to

dismiss FTC complaint arising out of breach of Wyndham's computer system. The denial of the MTD is on appeal in 3rd Circuit

 Section 5 and the "unfair acts" language does not extend to "unreasonable data security practices“

 FTC hasn't provided fair notice of what are reasonable security practices (i.e., there is no FTC analog to HIPAA security rules).

State Attorney

Generals

 $150,0000 settlement payment

 Implement data security improvements - improve encryption policies, internal audit of extent of employee access to

sensitive personal information, and report audit results to Attorney General

 Timely notification when there is breach of the security of Kaiser’s system – 4 months is too long!

 Provide notice on a rolling basis following discovery of a breach

 provide notice as soon as reasonably possible after identifying a portion of total individuals affected by a breach

California v. Kaiser Foundation

 Requires proper notice to be provided to affected consumers within 30 days unless good cause is shown for an additional 15-day delay;

 Requires proper notice to be provided to the AG for a breach affecting 500 or more individuals in Florida;

 Defines what information must be included in a proper notice;

 Expands the definition of personal information to include health insurance, medical information, financial information and online account information such as security questions and answers, email addresses and passwords;

 Expands the data breach statute to include state governmental entities and their instrumentalities.

FL Information Protection Act

 Requires businesses, state government entities, and third-party agents to take reasonable measures to protect data, including disposal of customer records;

 Requires the AG to provide an annual report to the Legislature regarding data breaches by governmental entities; and

 Authorizes enforcement actions under Florida’s Unfair and Deceptive Trade Practices Act for any statutory violations.  Burden of Proof change: Moving statute to FDUTPA and

away from the criminal code lowers the government’s burden of proof.

 Civil penalties could be imposed in the amount of $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period.

 Potential significant effect on Florida health care providers: currently HIPAA-covered entities have 60 days to notify individuals of a health information breach and may be able to avoid sending notice if they demonstrate that it is unlikely the information has been compromised.

 However, under FIPA, to avoid notifying the patient, a health entity first has to consult with law enforcement.

 The statute does state that notice provided in accordance with federal rules is deemed to be in compliance. That may help in situations where HIPAA does not require notice

because there is low probability that the information has been compromised.

 HIPAA-covered entities in Florida will need to update their breach policies to ensure compliance. This is a good time to strengthen existing privacy and security policies.  Keep in mind that many entities that have PHI, but are not HIPAA-covered entities will

now have security compliance standards to follow. If your business has PHI (or PII) but is not a covered entity, FIPA may force you to significantly alter your business process.

FL Information Protection Act



FIPA requires that affected individuals must be notified

of the breach within thirty (30) days.



Much more stringent than the sixty (60) day HIPAA

requirement for breach notification



FIPA provides an exception:



Notify individuals in accordance with the HIPAA rules



What does this mean?

 Negligence

 breach of duty to protect and safeguard personal information and to provide timely notice of breach of unencrypted PII

 Willful violation of the federal Fair Credit Reporting Act

 willful failure to maintain protections to protect consumer report information

 Negligent violation of the federal Fair Credit Reporting Act

 Violation of the Florida Deceptive and Unfair Trade Practices Act

 UM held itself out as providing secure online environment and protecting PII

Carsten v. University of Miami

 Settlement Agreement:

 UM pays up to total of $100,000 for all valid claims submitted

 UM pays up to $90,000 for attorneys’ fees, costs, expenses

 UM pays $1,500 “incentive award” to lead plaintiff

 Designate Security Program lead to oversee PHI security

 Perform risk assessment 1 year, 3 years, and 5 years after settlement date

 Implement security measures to minimize risk to PHI

 Use reasonable measures to select and retain vendors capable of maintaining security of PHI.

 No admission of wrongdoing by UM

 Negligence - breached duty to safeguard sensitive information

 Breach of Contract - contractual obligation to comply with HIPAA and protect sensitive information

 Breach of Implied Contracts - implied contract obligating AvMed to protect information

 Restitution/Unjust Enrichment - portion of monthly premiums was used for data security and AvMed failed to adopt data management and security measures mandated by industry standards

 Negligence Per Se - violation of § 395.3025

 Breach of Fiduciary Duty - AvMed was guardian of members’ sensitive information

 Breach of Implied Covenant of Good Faith/Fair Dealing – breach of obligation to follow HIPAA

Curry v. AvMed (again)

 Breach of Contract

 Breach of Implied Contract

 Restitution/Unjust Enrichment

 Breach of Fiduciary Duty

 Lawyer referral services and chiropractors paid ER intake staff at hospital to access hospital system’s database to identify patients who presented to the hospital after being injured in car accidents

 Hospital employees involved in the scheme were not

authorized to access the sensitive information of all of these patients

Faircloth v. Adventist Health

Syst.



Court finds there is no subject matter jurisdiction –

claims are state law claims and invoking violations of

HIPAA does not confer federal jurisdiction



a state law claim in which HIPAA is implicated as part

of an element does not arise under federal law.



HIPAA does not provide a private right of action

Faircloth v. Adventist Health

Syst.

 More litigation/enforcement from more sources:

 OCR

 FTC

 State AGs enforcing HIPAA and state privacy laws

 Class actions in state and federal courts

 Greater risk for covered entities, business associates, and subcontractors

 Covered entities will look to business

associates/subcontractors who are cause of data breach

 Better protection of the privacy and security of PHI?????



Perform and document risk analysis as required by

Security Rule (and update periodically)



Implement written policies and procedures to address

risks identified in analysis



Make sure all HIPAA policies are up-to-date, i.e., satisfy

Omnibus Rule



Make sure breach analysis and breach notification

policies are current



Identify all business associates and update your BAAs



DOCUMENT, DOCUMENT, DOCUMENT!



Keep current with emerging technologies and threats



Train your employees about importance of data

security (paper and electronic)



Train again!



Insure against the risk – cyber risk insurance



Have breach response plan in place before something

happens



identify potential vendors in advance



Evaluate your current policies and security measures

for electronic personal information and update them as

necessary;



Develop new policies or update existing policies for

identifying breaches and providing appropriate

notification to affected individuals.



Ensure that your company is using proper methods to

destroy or dispose of personal information.

 Review and update your agreements with third party agents who maintain or transmit electronic personal information to address the new requirements of § 501.171, Florida Statutes, regarding notification of breaches suffered by the third party agent and what

precautions the third party agent takes to safeguard and properly destroy data.

 Review your liability policies to determine what coverage is available in the event of a breach. The cost to respond to a data breach continues to climb and many insurers are revising their CGL policies to exclude coverage for data breaches. Separate cyber liability policies are available in the marketplace.