March 24, 2015
Healthcare Breaches: How to Respond
Recent healthcare breaches are a reminder that employers and insurers are legally required to take immediate, specific steps to tighten policies.
The news of a data breach at Premera Blue Cross, following on the heels of the recent announcements of large-scale, healthcare breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries and insurers need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management.
Health plans and their employers, administrators, insurers and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that are required by the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws.
Employers or other plan sponsors, fiduciaries, administrators and service providers also may be subject to additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code and a host of other laws. Whether they are subject to the additional responsibilities depends on the scope of data affected and their involvement with the affected plans,
Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security or other federal or state laws. (See, e.g., Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons for Health Plans, Providers and Business Associates.)
The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other healthcare breaches, as well as recent reports of identity theft and other fraud affecting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use and protection of sensitive personal and other data.
Of course, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities at virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.
Everyone from the Internal Revenue Service, other federal and state government agencies and private business partners are pushing for electronic transactions and data. So, businesses are conducting more and more transactions electronically containing business and individual tax information, personal financial information, personal health information, confidential business and personal information. Meanwhile, “big data” and other business and marketing gurus also encourage businesses to use data from customers, prospects and other sources to benefit marketing and other parts of the business.
As these practices have taken hold over the past decade, data breaches, other cyber crimes and risks have also grown. Privacy, identity theft and other cyber crimes have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations, including the Fair and Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy and Security Rules of the Health Insurance Portability and Accountability Act and state identity theft, data security and data breach and other electronic privacy and security laws.
As notorious breaches occur and judgments, penalties and other costs soar, federal and state regulators are looking at the need for expanded rules and penalties. (See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities and Statistics.) Widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and state regulators to hold hearings to consider the need for added reforms, and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.
While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.
The notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between Nov. 27 and Dec. 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before. The company announced plans to invest $100 million upgrading its payment terminals to support Chip-and-PIN-enabled cards and millions of dollars more in rectification efforts. Subsequently, Target’s losses have continued to mount, and it now faces lawsuits and other enforcement actions as a result of the breach.
Beyond a general need to tighten their defenses, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible, usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply.
Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, there may be specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, healthcare providers and others involved with the health plan.
In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to breaches. Businesses also should check the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever-vigilant for new requirements, as well as weaknesses in their own practices.
Businesses need to build their defenses in anticipation of breaches both to withstand government and private litigation and enforcement, and the judgment of public opinion.