Data security and breach notification issues continue to grab headlines, most recently in connection with the data breach announced by Equifax. Regulatory scrutiny is currently underway, with the Federal Trade Commission (FTC) taking the unusual step of publicly announcing that the agency is investigating the breach. State attorneys general in virtually every state have also launched investigations or, in the case of Massachusetts, already filed suit.
While these matters are in progress, regulators including the FTC, the Department of Health and Human Services Office of Civil Rights (OCR) — the agency responsible for enforcing the HIPAA rules for protected health information (PHI) — and state attorneys general have issued guidance and announced a number of settlements in data security cases that are instructive about measures that organizations can take to reduce the potential for a data breach or, if a breach does occur, provide appropriate notice. The FTC and state AG actions typically involve allegations of unfair or deceptive acts or practices, although violations of breach notification or other laws also can be involved. OCR actions are for violations of the HIPAA regulations.
FTC Data Security Guidance and Enforcement Actions
On August 15, the FTC announced a settlement with Uber to resolve allegations that the ride-share service failed to keep privacy promises that it made about limiting access to personal information by its employees and the reasonableness of its data security practices. According to the FTC, Uber stored data in the cloud and all “engineers that accessed the cloud storage service used a single access key that provided full administrative privileges over everything Uber stored there, failed to restrict access based on employees’ job functions, failed to require multi-factor authentication for access, and stored sensitive information in clear, readable — in other words, unencrypted — text.”
The FTC also faulted the company for allegedly not having reasonable security training and guidance or a written information security program until September 2014. Prior to that time, the FTC alleges that “an intruder used an access key an Uber engineer had publicly posted on a code-sharing site to access the names and driver’s license numbers of 100,000 Uber drivers, as well as some bank account information and Social Security numbers” and the company did not detect the breach for four months.
The settlement agreement would prohibit Uber from misrepresenting its practices, and would require the company to implement a comprehensive information security program and obtain independent biennial assessments of its security program.
In an effort to provide more guidance to organizations, particularly small businesses, about what constitutes reasonable security, the FTC has begun a series of blog posts by Tom Pahl, the Acting Director of the FTC’s Bureau of Consumer Protection, on different data security topics. The blog series, “Stick with Security,” is intended to supplement the FTC’s previously published “Start with Security” guide. Examples of topics addressed since the blog series began in July include: the importance of putting controls in place to keep security measures current and assessing vulnerabilities as they arise; securing paper records, physical media and devices; making sure that service providers implement reasonable security measures; network segmentation; security as part of new product development; and other insights from FTC information security investigations. The guidance is written at a high level, but the issues raised are based on insights they have acquired in prior investigations. Failure to take the types of controls and practices recommended in the guidance into account could have negative consequences if an organization were to experience a breach and subsequently be subject to a future FTC inquiry.
State Attorney General Actions
In May, it was announced that 47 states and the District of Columbia had reached an $18.5 million settlement with Target to resolve state claims arising out of the retailer’s 2013 data breach, which involved more than 41 million payment cards and exposed contact information for more than 60 million customers. The breach occurred after cybercriminals accessed a Target server using credentials stolen from a third-party vendor.
The settlement, which is the largest state data breach monetary settlement to date, also requires Target to develop, implement and maintain a comprehensive information security program; to employ an executive or officer who is responsible for executing the plan; and to hire an independent, qualified third-party to conduct a comprehensive security assessment. The settlement also requires the company to take other operational measures regarding encryption, segmenting credit card data from other information on its network and controlling access to its computer network (including certain password policies and two-factor authentication for certain accounts).
State attorneys general also bring actions over failures to provide timely notice once a data breach has occurred. On June 15, for example, New York Attorney General Eric Schneiderman announced a settlement with CoPilot Provider Support Services Inc. to resolve allegations that the company improperly delayed notice to more than 220,000 consumers by more than a year. The FBI opened an investigation in mid-February 2016 at the company’s request. Breach notices, however, were not sent until “more than one year after CoPilot learned of the breach.”
CoPilot attributed the delay to the law enforcement investigation, but the New York AG found that the FBI had not requested the delay in notification and, as a result, CoPilot failed to provide notice in a timely manner. The company agreed to pay $130,000 and reform its breach notification practices to settle the matter, including documenting any future law enforcement hold requests in writing.
The Department of Health and Human Services Office of Civil Rights (OCR)
The OCR has been among the most active regulators this year in terms of data security and data breach enforcement actions, having announced eight actions with penalties totaling more than $17 million. OCR’s enforcement authority in the breach space is limited to covered entities and business associates subject to the HIPAA privacy, security and breach notification rules. Even organizations that are not subject to HIPAA, however, can learn from OCR’s enforcement actions because, like the FTC’s enforcement actions, the underlying facts of the case often are at least as informative as the terms of the settlement agreement.
The Importance of Access Controls and Audit Log Reviews
Memorial Healthcare Systems (announced February 16) resulted in a $5.5 million settlement, following a breach of the PHI of 115,143 individuals that occurred when an unauthorized individual utilized the “login credentials of a former employee of an affiliated physician’s office.” Per OCR, these login credentials had been used “on a daily basis without detection” for approximately a year. Central to OCR’s analysis was the fact that Memorial “failed to implement [its existing] procedures with respect to reviewing, modifying and/or terminating users’ right of access.” OCR also cited Memorial’s failure to “regularly review records of information system activity on applications that maintain electronic [PHI] by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses” previously conducted.
The Importance of Encryption for Electronic Devices
Children’s Medical Center of Dallas (announced February 1), which resulted in a $3.2 million civil penalty, stemmed from two separate breach reports, each involving the loss or theft of unencrypted devices with the PHI of approximately 6,262 individuals. OCR cited a number of deficiencies in Children’s HIPAA compliance, including “a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media.”
OCR made clear its expectation here that the hospital should have utilized encryption on such devices, noting that “[d]espite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.”
The Importance of Written Policies
CardioNet (announced April 24) agreed to pay $2.5 million to resolve OCR claims relating to the theft of an unencrypted laptop containing the electronic PHI of 1,391 individuals from a parked vehicle outside an employee’s home in January 2012. OCR faulted CardioNet for “insufficient risk analysis and risk management processes” as well as having policies for compliance with the HIPAA security rule that were in draft form and had not been implemented. OCR also alleged that CardioNet was “unable to produce any final policies or procedures regarding the implementation of safeguards for electronic PHI, including those for mobile devices.”
The Importance of Taking Care When Disclosing Information
Memorial Hermann Health System (MHHS) (announced May 10) agreed to pay $2.4 million to resolve OCR claims that the health system violated HIPAA by identifying a patient by name in a September 2015 press release after the individual was arrested for allegedly presenting a fraudulent identification card to MHHS. OCR also faulted MHHS for failing to promptly sanction those, including senior management, responsible for the press release.
The Importance of Risk Management Plans (and Keeping Your Promises to Your Regulator)
MAPFRE Life Insurance Company of Puerto Rico (announced January 18) reached a $2.2 million settlement that was predicated on a breach involving a stolen flash drive with the PHI of 2,209 individuals. The OCR’s investigation revealed several deficiencies in the company’s security program, including “a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media.” OCR also noted that the company had “failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.” A significant portion of OCR’s analysis focuses on the lack of implementation of safeguards, especially those the company had previously identified and indicated that it would take.
The Importance of Timely Breach Reporting
Presence Health (announced January 9) was OCR’s first action for the untimely reporting of a breach. Although Presence did comply with the HIPAA breach reporting requirements, the belated reports were approximately 41 days past due, resulting in a $475,000 penalty. One notable quote from OCR’s announcement of this resolution agreement reveals just how serious the agency considered this delay to be: “With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.” In other words, it seems that it is OCR’s opinion that $475,000 was a low settlement amount — and that a higher amount would have been justified — given the delay in reporting.
The Importance of Risk Assessments
Metro Community Provider Network (MCPN) (announced April 12) agreed to pay $400,000 to resolve OCR claims relating to a January 2012 phishing incident that resulted in hackers compromising employee email accounts and obtaining the electronic PHI of about 3,200 individuals. OCR found that MCPN failed to conduct a risk assessment until after the phishing incident and, as a result, had “not implemented any corresponding risk management plans.” OCR also found that the risk assessments subsequently conducted were “insufficient” to meet MCPN’s obligations under the Security Rule.
The Importance of Day-to-Day Operational Controls
In St. Luke’s-Roosevelt Hospital Center (announced May 23), OCR received a complaint in September 2014 alleging that a staff member impermissibly faxed a patient’s PHI to the patient’s employer rather than sending it to a post office box as had been requested. The fax included sensitive PHI including information pertaining to HIV status, sexually transmitted disease, medications, mental health diagnosis, physical abuse and other information about the individual’s care.
As a result of its investigation, OCR determined that approximately nine months prior to this errant fax, staff also had erroneously faxed the PHI of another patient to an office where that patient volunteered. The settlement consisted of a fine of $387,200 and a three-year corrective action plan requiring St. Luke’s to revise its policies and procedure and train its staff. The case underscores the importance of safeguarding PHI as part of day-to-day operations.
Data security and data breach responses by organizations that have experienced a breach of personal information are, and will continue to be, a major issue for organizations large and small. Learning the lessons from regulatory guidance and enforcement actions, while not a guarantee, can help mitigate the potential for a future data breach and, in cases where a breach does occur, minimize the potential for an enforcement action as a result of the breach.
***** Kevin Coy is a partner in the Privacy Practice at Arnall Golden Gregory in Washington, DC. He focuses his practice on advising privacy-sensitive organizations on domestic and international privacy law and policy matters concerning a wide range of personal information. He may be reached at firstname.lastname@example.org or 202-677-4034.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.