By Tracey Drury, originally published in Buffalo Business First on Jul 11, 2019, 4:21am EDT.

Minimizing Legal Fallout from HIPAA Security Breaches

Christopher L. Hayes Christopher Hayes, an attorney for Phillips Lytle LLP.

Though it was a costly event, attorneys for Erie County Medical Center Corp. likely breathed a collective sigh of relief when they found out the trauma hospital’s cyber breach in 2017 did not expose any of its patients’ protected health information (PHI).

The last several years have seen a rise in individual and class-action lawsuits from those whose PHI was lost, stolen or accessed through cyber breach incidents. That’s because the Health Insurance Portability and Accountability Act (HIPAA) protects such information, which leaves the door open for litigation and compensation when data is exposed.

American Medical Collection Agency Inc., a collections firm contracted with Quest Diagnostics and LabCorp., exposed credit card and bank account details, as well as the Social Security numbers of 20 million individuals, during a hacking breach in 2018-2019. The class-action lawsuit includes more than 1,000 individual members.

Medical Informatics Engineering and NoMoreClipboard were sued by 12 state attorneys general last year after nearly 4 million individuals’ protected health information was exposed during a 2015 data breach. 

Breaches have become more common in health care.

According to a new Ponemon global survey of 322 cybersecurity professionals at health care firms, 50 percent reported at least one breach in the last two years.

The issue is relevant in Western New York, where health systems, hospitals, insurers and nonprofits have reported security breaches and incidents in recent years, several of which involved PHI exposure. 

They include The Arc of Erie County, which exposed the Social Security numbers and diagnosis codes of nearly 4,000 clients after a coding issue; and Independent Health, which accidentally emailed PHI of more than 7,600 members to another member this spring. 

So what do local health care organizations do to protect themselves?

Many align their practices and controls with industry standards from the National Institute of Standards and Technology, which go beyond basic HIPAA guidelines, said Christopher Hayes, special counsel in the data security and privacy group at Phillips Lytle LLP.

That’s because early HIPAA privacy rules and traditional practices have become outdated in some cases or aren’t sophisticated enough for today’s technology threats, he said. 

But health care companies also manage their vendors differently and train other people in the organization who might in some way touch or be exposed to member data. 

“Keep in mind that under the HIPAA framework, employee training was required. So this isn’t a new requirement, but now it’s starting to spread to ordinary, non-regulated business,” Hayes said.

“Companies now are working with third-party vendors for cloud technology services, so we introduce risk that might not otherwise exist,” he said. “Companies are continually managing those third-party relationships better, doing due diligence to make sure their contractors are meeting standards from a control and liability standpoint.”

There’s only so much risk management a company can put in place, since hackers and bad actors are going to find new ways to get into the system or trick someone into leaving an electronic back door open. If sensitive information gets out, there’s little the company can do to prevent a lawsuit.

Said Hayes: “It’s no longer OK to stick your head in the sand and either ignore the risk or say, ‘There’s nothing we can do.’ You have to be proactive about this and whatever your cyber security or information security framework is, we recommend it’s well thought out.”

Though BlueCross BlueShield of Western New York members have been affected by third-party security breaches, the local company has not been subject to any lawsuits. Still, it pays attention to what’s happening elsewhere to learn from others’ experiences.

Last month, the company partnered with the global organization Health-Information Sharing and Analysis Center to host a cybersecurity conference for regional security teams in the health care sector. The goal was to share ideas, experience and approaches on how best to mitigate cyber threats.

Russ Matuszak is BCBS vice president and chief compliance officer. He said companies have little choice these days but to pay attention to new cybersecurity regulations, put lots of training into the workforce and do the best job they can to protect member information.

“HIPAA breaches are a big deal and they have a significant impact to an organization,” he said. “It costs a lot of money when you’re dealing with those particular breaches. And as an organization, we’re good stewards of our members’ dollars. So it’s not just from a member perspective but from an organization perspective that we need to have appropriate tools in place.”

But the company recognizes that people may not recognize how serious it is or may see the annual training requirements as a burden. 

“We work hard to keep it engaging and relevant and work with third-party vendors and other entities in the health information area,” said Scott Morris, vice president and chief information security officer.