© 2015 Oscislawski LLC

Lessons Learned from Civil and Criminal Cases Resulting From Health Care Data Breaches

presented by

Helen Oscislawski, Esq. January 28, 2016

NJ HIMSS/NJ HFMA

Long Branch, New Jersey

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Big Data Breaches - By SIZE & Date

Individuals

Affected Date Org Name Org Type

80 Million Jan 2015 Anthem Health Plan

11 Million March 2015 Premera Blue Cross Health Plan

4.9 Million Sept 2011 TRICARE Government Agency

4.5 Million July 2015 UCLA Health System Health Care System

4.5 Million July 2014 Community Health Hospital Operator

4.03 Million July 2013 Advocate Health Health Care System

3.9 Million May 2015 Medical Informatics

Engineering

EMR Vendor

1.9 Million Jan 2011 HealthNet Health Plan

1.7 Million Dec 2010 NY City Health & Hospitals

Corp

Health Care Network

1.3 Million July 2013 Montana Dept Health Government Agency

1.22 Million Dec 2009 AV Med Health Plan

1.06 Million Aug 2011 Nemours Foundation Health Care Foundation

1.02 Million Oct 2009 BCBS Tennessee Health Plan

943,434K Oct 2011 Sutter Medical Foundation Health Care Foundation Source: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=4

Anthem

2015 – 4 (99.4 Million) 2014 – 1 (4.5 Million) 2013 – 2 (5.33 Million) 2012 – 0 2011 – 4 (8.8 Million) 2010 – 1 (1.7 Million) 2009 - 2 (2.24 Million)

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Big Data Breaches - By TYPE

Individuals

Affected Date Org Name Org Type Cause of Breach

80 Million Jan 2015 Anthem Health Plan Cyberattack

11 Million March 2015 Premera Blue Cross Health Plan Cyberattack

4.9 Million Sept 2011 TRICARE Government Agency Lost backup tapes

4.5 Million July 2015 UCLA Health System Health Care System Cyberattack

4.5 Million July 2014 Community Health Hospital Operator Cyberattack

4.03 Million July 2013 Advocate Health Health Care System Theft (unencrypted computers)

3.9 Million May 2015 Medical Informatics

Engineering

EMR Vendor Cyberattack

1.9 Million Jan 2011 HealthNet Health Plan Lost (unencrypted server drives)

1.7 Million Dec 2010 NY City Health &

Hospitals Corp

Health Care Network Theft (unencrypted backup

tapes)

1.3 Million July 2013 Montana Dept Health Government Agency Cyberattack

1.22 Million Dec 2009 AV Med Health Plan Theft (unencrypted laptops)

1.06 Million Aug 2011 Nemours Foundation Health Care Foundation Lost (unencrypted backup tapes)

1.02 Million Oct 2009 BCBS Tennessee Health Plan Theft (unencrypted hard drives)

943,434K Oct 2011 Sutter Medical

Foundation

Health Care Foundation Theft (desktop computer)

Source: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=4

6 Cyber Attacks

5 Thefts (unencrypted devices)

3 “We Can’t Find it” (lost)

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

1. July 16, 2008: Providence Health & Services ($100K)

2. January 16, 2009: CVS Pharmacy, Inc. ($2.25M)

3. July 27, 2010: Rite Aid Corporation ($1M)

4. December 13, 2010: MSO Washington, Inc. ($35K)

5. February 4, 2011: Cignet Maryland ($4.3M) [CMP]

6. February 14, 2011: Gen Hospital & Mass General Phys ($1.5M)

7. July 6, 2011: UCLA Health System ($865,500K)

8. March 13, 2012: BCBS Tennessee ($1.5M)

(con’t…..)

OCR Resolution Agreements see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

9. April 13, 2012 : Phoenix Cardiac Surgeons ($100K)

10. June 26, 2012: Alaska DHSS($1.7M)

11. September 17, 2012: Mass Eye & Ear Associates ($1.5 M)

12. December 31, 2012: Hospice of Northern Idaho ( $50K)

13. May 21, 2013: Idaho State University ($400K)

14. June 13, 2013: Shasta Regional Medical Center ($275K)

15. July 11, 2013: WellPoint ($1.7M)

16. August 14, 2013: Affinity Health Plan ($1,215,780)

17. Dec 24, 2013: Adult/Pediatric Dermatology P.C. ($150K)

18. March 7, 2014: Skagit County, Washington ($215K)

(con’t…..)

Case Examples & Resolution Agreements (continued)

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

19. April 22, 2014: QCA Health Plan Inc. ($250K)

20. April 22, 2014: Concentra Health Services ($1,725,220)

21. May 7, 2014: NY and Presbyterian Hospital ($3.3 M)

22. May 7, 2014: Columbia University ($1.5M)

23. June 23, 2014: Parkview Health System ($800K)

24. Dec 2, 2014: Anchorage Comm. Mental Health ($150K)

25. April 22, 2015: Cornell Prescription Pharm ($125K)

26. June 10, 2015: St Elizabeth Medical ($218,400)

27. August 31, 2015: Cancer Care Group ($750,000)

•

Case Examples & Resolution Agreements (continued)

• 7 years of HHS Enforcement • 27 cases (26 settlements) • Over $27 Million Collected

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Enforcement Lessons Learned from OCR

Encrypt laptops and mobile devices, including thumb drives!

Providence Health ($100K)

Idaho Hospice($50K)

Mass Ear/Eye MDs ($1.5 M)

Alaska DHSS ($1.7M)

Concentra ($1.725M) (if you don’t, document the alternative used)

QCA ($250K)

Dispose of PHI properly, including wiping leased copiers of ePHI!

CVS ($2.25M)

Rite Aid ($1M)

Affinity Health ($1.2M) (purge ePHI from copiers & devices!)

Parkview Health System ($800K) (don’t leave PHI in driveways!)

Don’t take PHI off-site! (Gen Hospital Corp. & Mass Gen MD Org ($1.5M))

Enter into BA Agreements with vendors who store or secure your PHI!

BCBS Tennessee ($1.5M)

AZ Cardiologists ($100K)

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Enforcement Lessons Learned

Perform and Update Security Risk Assessments, especially with system upgrades

BCBS Tenn ($1.5M))

Idaho State Univ ($400K)

Wellpoint ($1.7M)

Columbia ($1.5) / NY Presbyterian ($3.3M)

Anchorage ($150K) (don’t use outdated software, and fail to update patches)

Ensure you have Control Policies over your Devices and Media (Cancer Care)

Apply Minimum Necessary to disclosure within organization! (Shasta Medical)

Train & Sanction Employees, Including executives (Shasta Medical ($275K)

CORRECT Violations!

Cignet Maryland ($4.3M)

UCLA ($865K)

Cooperate with OCR! Cignet Maryland ($4.3M)

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Have written Policies, and Implement effectively

• Providence Health ($100K)

• CVS ($2.25M)

• Rite Aid ($1M)

• MSO Washington ($35K)

• Cignet Maryland ($4.3M)

• General Hospital Corp. & Massachusetts General Physicians ($1.5M)

• UCLA ($865,500K)

• BCBST ($1.5M)

• AZ Cardiac MDs ($100K)

• Alaska DHSS ($1.7M)

• Mass MDs ($1.5 M)

• Idaho Hospice($50K)

• A&P Dermatology ($150K)

• Shasta ($275)

• Wellpoint ($1.7M)

• Affinity ($1.2M)

• Skagil ($275K)

Enforcement Lessons Learned (con’t)

Lawsuits

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Causes of Action (“civil” lawsuits)

• Federal Law

• HIPAA

• Fair Credit Reporting Act

• “Wiretap Act”

• State Law

• Tort

• Breach of Contract

• Strict Liability

• Class Actions

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

HIPAA

“Patients cannot sue for

violations of HIPAA. The HIPAA

statute does not provide a

private right of action

for individuals to sue

under”

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

HIPAA as the “Standard of Care”?

• At least 10 states (Delaware, Connecticut, Kentucky,

Maine, Minnesota, Montana, North Carolina,

Tennessee, Utah, West Virginia) have published judicial

decisions and precedent supporting that a court may

at least look to HIPAA when considering the relevant

standard of care for state privacy violation claims

brought by individuals.

• Byrne v. Avery Center for Obstetrics and Gynecology,

the Connecticut Supreme Court went one step further

and concluded that HIPAA regulations can establish

the standard of care in certain situations!

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Byrne v. Avery Center for Obstetrics and Gynecology, P.C

• Facts: Emily Byrne, asked Avery Center for Obstetrics and

Gynecology not to provide her PHI to her significant other (HIPAA’s

Request for Restriction). The Center received a subpoena from her

significant other’s attorneys in a paternity suit, and promptly turned

over the information without alerting the patient or fighting the

subpoena in court.

• Byrne sued Avery Center for negligence, but a lower court ruled that HIPAA preempted the negligence suit. Byrne then appealed.

• Holding: November 2014, the Connecticut Supreme Court

overruled the lower court and pointed to language in the

preamble to the final HIPAA to permit privacy lawsuits based on

State Law to go forward. HIPAA does not preempt state law cases

of action.

• Impact: De facto right of action under HIPAA, which could subject

health care providers to more lawsuits for breaching patient

confidentiality

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Walgreens

• Walgreen Co. v. Abigail E. Hinchy, N.E. 3d 99 (Ind. Ct. App 2014) (rehearing denied Jan 15 2015).

• Pharmacist was married to the plaintiff’s boyfriend at the time she looked at the plaintiff/customer’s prescription records and shared them with her then-husband, who was also plaintiff/customer’s ex-boyfriend.

• Walgreens disciplined pharmacist, but did not terminate her.

• Plaintiff alleged: (1) Wallgreens failed to appropriately train pharmacist; (2) Negligence (HIPAA is a standard of care), Invasion of Privacy, and (3) Respondent Superior – and, the jury agreed!

• Jury awards $1.44 million to a customer/plaintiff July 26, 2013

• Wallgreens appeals, but court DENIES rehearing on Jan 15, 2015.

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Healthcare Breach Class Actions

• Advocate Health & TRICARE – so far, class actions are generally being dismissed for failure to show actual sustained damages or harm. Tracking other commercial breaches that resulted in class action suits.

• Exceptions:

• Charleston Medical Center in West Virginia, State Supreme Court overruled and certified the class despite no showing of damages.

• AvMed settles for $3 Million with 1.2 Million individuals from 2009 breach. (Florida)

• Stanford Hospital & Clinics + 2 Business Associates settle with 20,000 patients for $4 Million due to a 2011 breach

•

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Developments on the Horizon

• Premera - At least 5 class actions filed.

• Anthem - Class actions filed in Alabama, California and Indiana. Arguments range from “overpaid premium” where Anthem didn’t use money to implement appropriate security safeguards to “imminent danger” of identity theft. Note that no encryption and prior incidents (2012 breach).

• MIE (Medical Informatics Engineering)- Class Actions started being filed over the summer (i.e., July 30 filing in Indiana).

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Premera - Four Causes of Action

#1 Negligence

• Must show that an entity:

• (1) had a duty to the plaintiff,

• (2) the entity breached the duty,

• (3) the plaintiff suffered damages, and

• (4) the entity’s acts caused the damage.

• The Complaint states that Premera had a “duty” to keep the

plaintiffs personal information secure as the provider of

health coverage to the plaintiffs. Premera breached this

duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper

disclosure of health information.

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Premera - Four Causes of Action

#2 Bailment

• “Bailment” is actionable when personal property is delivered

to another for some particular purpose with an express or

implied contract to redeliver when the purpose has been

fulfilled. (i.e., “I’m giving you my stuff with the expectation

that I’ll get it back in the same condition.”)

• The Complaint alleges that the plaintiffs provided Premera

with their personal information with the understanding that

Premera would adequately safeguard it. Premera breached its bailment by failing to protect the information which

resulted in the data breach.

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Premera - Four Causes of Action

#3 Breach of Contract

• Complaint alleges that Premera’s Notice of Privacy Practices

(NPP) states that Premera must take measures to protect

each beneficiary’s health information.

• Unclear whether court will accept argument that NPP is

actually a contract between a covered entity and

individuals. HOWEVER, the fact that such arguments are

being raised underscores that NPPs should be carefully

drafted.

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Premera - Four Causes of Action

#5 Washington State Data Breach Claim

• Complaint alleges that Premera violated the Washington

State data breach notification requirements of RCW

19.255.010.

• Unlike HIPAA, affected individuals may bring claims for

violations of this statute.

• Among the requirements of RCW 19.255.010 is to disclose

data breaches in the most “expedient” time possible and

without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data

breach.

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Other Things to Worry About

• State Statutes - allow recovery sometimes (i.e., CA provides for $1,000/person for breaches even if no damages are shown).

• HITECH Amendment – payment to patients “harmed” by a breach entitled to % of penalty collected by HHS.

Thank you. Any questions?

Helen Oscislawski, Esq.

Principal, Attorneys at Oscislawski LLC

helen@oscislaw.com

609-835-0833