Increased Enforcement and Litigation Risk for Data Breaches Involving Personal Health Information
HIPAA and HITECH have long been high priority concerns for health care and life sciences organizations. But recent developments in HIPAA enforcement and data breach litigation raises the threat level for all companies dealing with personal health information (PHI).
On the enforcement front, on February 1, 2018, HHS’s Office of Civil Rights — which enforces HIPAA privacy, security, and breach notification rules — announced a $3.5 million settlement with Fresenius Medical Care North America to resolve several potential HIPAA violations. In 2013, Fresenius filed five breach reports with HHS, each arising from the theft of unencrypted laptops, desktops and USB drives, each at a different Fresenius facility. Notable about the settlement is the dollar figure compared to the number of individuals’ data exposed. Fresenius agreed to pay the fifth highest HIPAA penalty for violations exposing PHI of a mere 521 individuals across all five incidents. In contrast, a recent $2.3 million settlement with 21st Century Oncology, Inc. involved a hack that exposed more than 2.2 million individuals’ PHI. The Fresenius settlement also requires the company to perform a complete risk analysis; revise its policies and procedures governing device, media and facility access; educate its workforce on the revised policies and procedures; and develop and implement a risk management plan. Clearly the size of the settlement for the exposure of so few individuals’ PHI reflects a priority at HHS to have HIPAA reporters take seriously the abundant exposure risks they face.
On the litigation front, the first and best defense for defendants sued for data breaches remains lack of standing, but cracks in the wall are widening, most notably in breaches involving exposure of PHI. In an August 1, 2017 decision in Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), the D.C. Circuit allowed a class action to proceed that alleged exposure of PHI, but not any actual identity theft stemming from the stolen PHI. The court held that the increased risk of identity theft as a result of the breach makes injury to the individual sufficiently imminent to confer standing at the motion to dismiss stage of a litigation. Importantly, the court held that the breach creates a risk significant enough to satisfy the standing requirement based solely on the theft of health insurance subscriber ID numbers, even if no social security or credit numbers were exposed by the breach. While not referenced in the decision, plaintiffs note in opposition to the petition for a writ of certiorari that regardless of any risk of identity theft, the alleged violations of HIPAA and HITECH standing alone can create standing.
With daily reports of data breaches involving PHI, organizations in the health care and life sciences industries should take care to reduce their potential liability by thoroughly assessing and reassessing their exposure, and pro-actively implementing risk reduction plans.