Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2015 Oscislawski LLC
Lessons Learned from Civil and Criminal Cases Resulting From Health Care Data Breaches
presented by
Helen Oscislawski, Esq. January 28, 2016
NJ HIMSS/NJ HFMA
Long Branch, New Jersey
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Big Data Breaches - By SIZE & Date
Individuals
Affected Date Org Name Org Type
80 Million Jan 2015 Anthem Health Plan
11 Million March 2015 Premera Blue Cross Health Plan
4.9 Million Sept 2011 TRICARE Government Agency
4.5 Million July 2015 UCLA Health System Health Care System
4.5 Million July 2014 Community Health Hospital Operator
4.03 Million July 2013 Advocate Health Health Care System
3.9 Million May 2015 Medical Informatics
Engineering
EMR Vendor
1.9 Million Jan 2011 HealthNet Health Plan
1.7 Million Dec 2010 NY City Health & Hospitals
Corp
Health Care Network
1.3 Million July 2013 Montana Dept Health Government Agency
1.22 Million Dec 2009 AV Med Health Plan
1.06 Million Aug 2011 Nemours Foundation Health Care Foundation
1.02 Million Oct 2009 BCBS Tennessee Health Plan
943,434K Oct 2011 Sutter Medical Foundation Health Care Foundation Source: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=4
Anthem
2015 – 4 (99.4 Million) 2014 – 1 (4.5 Million) 2013 – 2 (5.33 Million) 2012 – 0 2011 – 4 (8.8 Million) 2010 – 1 (1.7 Million) 2009 - 2 (2.24 Million)
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Big Data Breaches - By TYPE
Individuals
Affected Date Org Name Org Type Cause of Breach
80 Million Jan 2015 Anthem Health Plan Cyberattack
11 Million March 2015 Premera Blue Cross Health Plan Cyberattack
4.9 Million Sept 2011 TRICARE Government Agency Lost backup tapes
4.5 Million July 2015 UCLA Health System Health Care System Cyberattack
4.5 Million July 2014 Community Health Hospital Operator Cyberattack
4.03 Million July 2013 Advocate Health Health Care System Theft (unencrypted computers)
3.9 Million May 2015 Medical Informatics
Engineering
EMR Vendor Cyberattack
1.9 Million Jan 2011 HealthNet Health Plan Lost (unencrypted server drives)
1.7 Million Dec 2010 NY City Health &
Hospitals Corp
Health Care Network Theft (unencrypted backup
tapes)
1.3 Million July 2013 Montana Dept Health Government Agency Cyberattack
1.22 Million Dec 2009 AV Med Health Plan Theft (unencrypted laptops)
1.06 Million Aug 2011 Nemours Foundation Health Care Foundation Lost (unencrypted backup tapes)
1.02 Million Oct 2009 BCBS Tennessee Health Plan Theft (unencrypted hard drives)
943,434K Oct 2011 Sutter Medical
Foundation
Health Care Foundation Theft (desktop computer)
Source: http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches?page=4
6 Cyber Attacks
5 Thefts (unencrypted devices)
3 “We Can’t Find it” (lost)
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
1. July 16, 2008: Providence Health & Services ($100K)
2. January 16, 2009: CVS Pharmacy, Inc. ($2.25M)
3. July 27, 2010: Rite Aid Corporation ($1M)
4. December 13, 2010: MSO Washington, Inc. ($35K)
5. February 4, 2011: Cignet Maryland ($4.3M) [CMP]
6. February 14, 2011: Gen Hospital & Mass General Phys ($1.5M)
7. July 6, 2011: UCLA Health System ($865,500K)
8. March 13, 2012: BCBS Tennessee ($1.5M)
(con’t…..)
OCR Resolution Agreements see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
9. April 13, 2012 : Phoenix Cardiac Surgeons ($100K)
10. June 26, 2012: Alaska DHSS($1.7M)
11. September 17, 2012: Mass Eye & Ear Associates ($1.5 M)
12. December 31, 2012: Hospice of Northern Idaho ( $50K)
13. May 21, 2013: Idaho State University ($400K)
14. June 13, 2013: Shasta Regional Medical Center ($275K)
15. July 11, 2013: WellPoint ($1.7M)
16. August 14, 2013: Affinity Health Plan ($1,215,780)
17. Dec 24, 2013: Adult/Pediatric Dermatology P.C. ($150K)
18. March 7, 2014: Skagit County, Washington ($215K)
(con’t…..)
Case Examples & Resolution Agreements (continued)
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
19. April 22, 2014: QCA Health Plan Inc. ($250K)
20. April 22, 2014: Concentra Health Services ($1,725,220)
21. May 7, 2014: NY and Presbyterian Hospital ($3.3 M)
22. May 7, 2014: Columbia University ($1.5M)
23. June 23, 2014: Parkview Health System ($800K)
24. Dec 2, 2014: Anchorage Comm. Mental Health ($150K)
25. April 22, 2015: Cornell Prescription Pharm ($125K)
26. June 10, 2015: St Elizabeth Medical ($218,400)
27. August 31, 2015: Cancer Care Group ($750,000)
•
Case Examples & Resolution Agreements (continued)
• 7 years of HHS Enforcement • 27 cases (26 settlements) • Over $27 Million Collected
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Enforcement Lessons Learned from OCR
Encrypt laptops and mobile devices, including thumb drives!
Providence Health ($100K)
Idaho Hospice($50K)
Mass Ear/Eye MDs ($1.5 M)
Alaska DHSS ($1.7M)
Concentra ($1.725M) (if you don’t, document the alternative used)
QCA ($250K)
Dispose of PHI properly, including wiping leased copiers of ePHI!
CVS ($2.25M)
Rite Aid ($1M)
Affinity Health ($1.2M) (purge ePHI from copiers & devices!)
Parkview Health System ($800K) (don’t leave PHI in driveways!)
Don’t take PHI off-site! (Gen Hospital Corp. & Mass Gen MD Org ($1.5M))
Enter into BA Agreements with vendors who store or secure your PHI!
BCBS Tennessee ($1.5M)
AZ Cardiologists ($100K)
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Enforcement Lessons Learned
Perform and Update Security Risk Assessments, especially with system upgrades
BCBS Tenn ($1.5M))
Idaho State Univ ($400K)
Wellpoint ($1.7M)
Columbia ($1.5) / NY Presbyterian ($3.3M)
Anchorage ($150K) (don’t use outdated software, and fail to update patches)
Ensure you have Control Policies over your Devices and Media (Cancer Care)
Apply Minimum Necessary to disclosure within organization! (Shasta Medical)
Train & Sanction Employees, Including executives (Shasta Medical ($275K)
CORRECT Violations!
Cignet Maryland ($4.3M)
UCLA ($865K)
Cooperate with OCR! Cignet Maryland ($4.3M)
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Have written Policies, and Implement effectively
• Providence Health ($100K)
• CVS ($2.25M)
• Rite Aid ($1M)
• MSO Washington ($35K)
• Cignet Maryland ($4.3M)
• General Hospital Corp. & Massachusetts General Physicians ($1.5M)
• UCLA ($865,500K)
• BCBST ($1.5M)
• AZ Cardiac MDs ($100K)
• Alaska DHSS ($1.7M)
• Mass MDs ($1.5 M)
• Idaho Hospice($50K)
• A&P Dermatology ($150K)
• Shasta ($275)
• Wellpoint ($1.7M)
• Affinity ($1.2M)
• Skagil ($275K)
Enforcement Lessons Learned (con’t)
Lawsuits
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Causes of Action (“civil” lawsuits)
• Federal Law
• HIPAA
• Fair Credit Reporting Act
• “Wiretap Act”
• State Law
• Tort
• Breach of Contract
• Strict Liability
• Class Actions
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA
“Patients cannot sue for
violations of HIPAA. The HIPAA
statute does not provide a
private right of action
for individuals to sue
under”
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA as the “Standard of Care”?
• At least 10 states (Delaware, Connecticut, Kentucky,
Maine, Minnesota, Montana, North Carolina,
Tennessee, Utah, West Virginia) have published judicial
decisions and precedent supporting that a court may
at least look to HIPAA when considering the relevant
standard of care for state privacy violation claims
brought by individuals.
• Byrne v. Avery Center for Obstetrics and Gynecology,
the Connecticut Supreme Court went one step further
and concluded that HIPAA regulations can establish
the standard of care in certain situations!
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Byrne v. Avery Center for Obstetrics and Gynecology, P.C
• Facts: Emily Byrne, asked Avery Center for Obstetrics and
Gynecology not to provide her PHI to her significant other (HIPAA’s
Request for Restriction). The Center received a subpoena from her
significant other’s attorneys in a paternity suit, and promptly turned
over the information without alerting the patient or fighting the
subpoena in court.
• Byrne sued Avery Center for negligence, but a lower court ruled that HIPAA preempted the negligence suit. Byrne then appealed.
• Holding: November 2014, the Connecticut Supreme Court
overruled the lower court and pointed to language in the
preamble to the final HIPAA to permit privacy lawsuits based on
State Law to go forward. HIPAA does not preempt state law cases
of action.
• Impact: De facto right of action under HIPAA, which could subject
health care providers to more lawsuits for breaching patient
confidentiality
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Walgreens
• Walgreen Co. v. Abigail E. Hinchy, N.E. 3d 99 (Ind. Ct. App 2014) (rehearing denied Jan 15 2015).
• Pharmacist was married to the plaintiff’s boyfriend at the time she looked at the plaintiff/customer’s prescription records and shared them with her then-husband, who was also plaintiff/customer’s ex-boyfriend.
• Walgreens disciplined pharmacist, but did not terminate her.
• Plaintiff alleged: (1) Wallgreens failed to appropriately train pharmacist; (2) Negligence (HIPAA is a standard of care), Invasion of Privacy, and (3) Respondent Superior – and, the jury agreed!
• Jury awards $1.44 million to a customer/plaintiff July 26, 2013
• Wallgreens appeals, but court DENIES rehearing on Jan 15, 2015.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Healthcare Breach Class Actions
• Advocate Health & TRICARE – so far, class actions are generally being dismissed for failure to show actual sustained damages or harm. Tracking other commercial breaches that resulted in class action suits.
• Exceptions:
• Charleston Medical Center in West Virginia, State Supreme Court overruled and certified the class despite no showing of damages.
• AvMed settles for $3 Million with 1.2 Million individuals from 2009 breach. (Florida)
• Stanford Hospital & Clinics + 2 Business Associates settle with 20,000 patients for $4 Million due to a 2011 breach
•
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Developments on the Horizon
• Premera - At least 5 class actions filed.
• Anthem - Class actions filed in Alabama, California and Indiana. Arguments range from “overpaid premium” where Anthem didn’t use money to implement appropriate security safeguards to “imminent danger” of identity theft. Note that no encryption and prior incidents (2012 breach).
• MIE (Medical Informatics Engineering)- Class Actions started being filed over the summer (i.e., July 30 filing in Indiana).
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Premera - Four Causes of Action
#1 Negligence
• Must show that an entity:
• (1) had a duty to the plaintiff,
• (2) the entity breached the duty,
• (3) the plaintiff suffered damages, and
• (4) the entity’s acts caused the damage.
• The Complaint states that Premera had a “duty” to keep the
plaintiffs personal information secure as the provider of
health coverage to the plaintiffs. Premera breached this
duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper
disclosure of health information.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Premera - Four Causes of Action
#2 Bailment
• “Bailment” is actionable when personal property is delivered
to another for some particular purpose with an express or
implied contract to redeliver when the purpose has been
fulfilled. (i.e., “I’m giving you my stuff with the expectation
that I’ll get it back in the same condition.”)
• The Complaint alleges that the plaintiffs provided Premera
with their personal information with the understanding that
Premera would adequately safeguard it. Premera breached its bailment by failing to protect the information which
resulted in the data breach.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Premera - Four Causes of Action
#3 Breach of Contract
• Complaint alleges that Premera’s Notice of Privacy Practices
(NPP) states that Premera must take measures to protect
each beneficiary’s health information.
• Unclear whether court will accept argument that NPP is
actually a contract between a covered entity and
individuals. HOWEVER, the fact that such arguments are
being raised underscores that NPPs should be carefully
drafted.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Premera - Four Causes of Action
#5 Washington State Data Breach Claim
• Complaint alleges that Premera violated the Washington
State data breach notification requirements of RCW
19.255.010.
• Unlike HIPAA, affected individuals may bring claims for
violations of this statute.
• Among the requirements of RCW 19.255.010 is to disclose
data breaches in the most “expedient” time possible and
without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data
breach.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Other Things to Worry About
• State Statutes - allow recovery sometimes (i.e., CA provides for $1,000/person for breaches even if no damages are shown).
• HITECH Amendment – payment to patients “harmed” by a breach entitled to % of penalty collected by HHS.
Thank you. Any questions?
Helen Oscislawski, Esq.
Principal, Attorneys at Oscislawski LLC
609-835-0833