There are a number of events that recently occurred which, taken together, should make any individual or any company that is subject to an “associate agreement” or any “covered entity” possessing PHI, (as well as their respective attorneys) take pause.
1. Anchorage Community Mental Health Services (ACMHS) notified OCR regarding the breach of unsecured PHI relating to malware that compromised the security of its IT systems. The breach affected 2,743 individuals. Apparently, there was a finding that ACMHS had adopted security rules, policies and procedures in 2005, but based on its Resolution Agreement with the government, it was found that ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities as to the confidentiality, integrity and availability of its E-PHI. Aside from the various undertakings in the Resolution Agreement, ACMHS is subject to a $150K fine.
2. Sony Pictures Entertainment (SPE), the victim of a cyber-attack, has realized that based on the more than 200 GB of data that has already been released by the hackers, there have been more than 30,000 HR records compromised. Accordingly, Sony has released a notification letter that is extremely broad. The following language was included: “Although [SPE] is in the process of investigating the scope of the cyber-attack, SPE believes that the following types of personal identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security number, driver’s license number, passport number and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans.”
HIPAA- HITECH breaches have now moved from allowing employees to improperly access and disseminate PHI, or the loss or theft of a laptop left in a car, to the vulnerabilities that “rich targets” for hackers such as major corporations present. I think it is fair to assume that the hackers’ primary target was not health records.
3. To further supplement the problem, on November 11, 2013, the Connecticut Supreme Court ruled in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that HIPAA does not necessarily preclude a private action (brought by the victim or victims) for negligence on the part of the covered entity, and that the HIPAA regulations may (at least theoretically) be used in determining the applicable standard of care. Simply stated, the idea of a class action for a single violation of HIPPA, e.g. the loss or theft of a hard drive or thumb drive, or the mass dissemination of one person’s personal information over the internet after that person’s PHI was the subject of a single breach of HIPAA could subject the health provider or their associates to damages that are well beyond anything ever contemplated by HIPAA. In the case of the former, a class action by many thousands of individuals is a real possibility. In the latter case, imagine if the medical records of a single high profile person, e.g. famous executive or actor/actress, was obtained in violation of HIPAA, and then was disseminated on the internet. In either case, the legal fees and damages (as well as the settlement value) could be staggering.
What these three seemingly unassociated issues seem to point towards is that taken together, covered entities and their associates may become responsible for failure to adequately protect their PHI in the event that malware enters their system, or their systems are hacked, at a time when even major corporations that have and use significant resources to protect their data, can be hacked. In addition, the release of HR data which could easily implicate HIPAA could render these entities not only prime targets for hackers, but major marks for class-action or high value negligence lawsuits.
It seems clear to me that the level of vulnerability, responsibility and accountability has recently risen to a higher degree of significance.