Lessons from

Breach Street:What you can learn from recent HIPAA

enforcement actions

Jeffery P. Drummond

Jackson Walker L.L.P.

2323 Ross Ave., Suite 600

Dallas, Texas 75201

jdrummond@jw.com• 214-953-5781

www.hipaablog.blogspot.com

• 1996: HIPAA statute passes

• 2000/2001: Privacy Rule published

• 2003: Privacy Rule enforceable, Security Rule

published

• 2005: Security Rule enforceable

• 2009: HITECH Act passes, initial regulations

passed

• 2013: HITECH “omnibus rule”

A brief history of HIPAA

“HITECH” Act and Omnibus

Rule Provisions• New Data Breach Rules

– “unsecured” PHI is the key

• Standard Exceptions:

– Wrong person at the right covered entity

• Workforce member access in good faith

• Person authorized to access PHI generally

– Recipient not reasonably likely to retain PHI

• General Exception:

– Was “no substantial harm”

– Now “low risk of compromise”

Older Breaches:The Classics

Sony Pictures

• 11/14 Ransom-style hack

• Stolen & released info

– movie scripts, emails, salary lists, >47,000 SSN

• Attributed to North Korea (The Interview)

• At least $41 MM investigation and remediation

Target

• 12/13: Email hack on HVAC

vendor

• Skimming technology on POS

– 40 million credit card numbers, CVVs

– 70 million cardholder names, addresses, etc.

• 46% ↓ in Dec. profits

• $291 MM expenses related to breach ($90 MM

insurance) (2016 10-K)

Home Depot

• Third party vendor hacked

• Another POS skimming attack

– 56 million credit & debit accts

– 53 million emails

• $261 MM expenses related to breach ($100

MM insurance) (2016 10-K)

Ashley Madison

• Life is short. Have an affair.®

• 32 million affected members

– Email addresses, account details

• Suicides (actual damages)

Older HIPAA Breaches• Anthem (2015)

– Hackers gained “Admin” access by successfully phishing

several people in the IT department, 80 million individuals

information compromised

– $115 Million settlement in June 2017

• Affinity Health Plans (2010 breach, 2013 fine)

– Old copiers sold without clearing hard drives

– $1.2 Million fine

• Sutter Health (2011 breach)

– A thief breaks a window with a rock and steals a desktop

computer with 4.3 million patients’ data

Older HIPAA Breaches

• Raleigh Orthopaedic Clinic (2013)

– Contractor hired to convert film to digital actually stole

films to extract silver content

– Failed to have a BAA in place (wouldn’t have helped)

– $750,000 fine

• University of Washington Medicine (2015)

– Employee downloads malware

– Covered Entity doesn’t have risk assessment

– $750,000 fine

New Breaches

Recent HIPAA Breaches

• Care New England (2013/2017)

– Integrated delivery system’s MSO lost backup tapes

– Fined specifically for no HITECH-updated BAA with the

(related entity) MSO

– $400,000

• Moral of the Story:

– Update your BAAs (like it’s 2013)

– Make sure you have BAAs, even with related entities

Recent HIPAA Breaches

• Metro Community (2012/2017)

– Phishing attack exposes PHI

– Corrective actions taken, but no initial risk analysis

– $400,000

• Moral of the Story:

– Do an initial risk analysis

– If you did one, do another one; just in case. . . .

Recent HIPAA Breaches

• Children’s Medical Center (Dallas) (2009/2017)

– Lost Blackberry in 2009, stolen laptop in 2013, neither

encrypted

– Lack of risk management plans (despite hiring consultants

to give good advice

– $3.2 Million (failed to respond to proposed fine)

• Moral of the Story

– If you hire consultants, you must do as they say

– Work with OCR and be responsive

Recent HIPAA Breaches

• Presence Health (2013/2017)

– Paper OR schedules go missing 10/22

– Presence sends notification 1/31-2/5 (101-106 days)

– $475,000 (coulda been $400 million, each day is a

violation)

• Moral of the Story:

– Once you determine it’s a breach, start sending notices

– Rule isn’t even that “you have 60 days,” but you definitely

don’t have any MORE than 60 days.

Recent HIPAA Breaches

• Children’s Digestive Health (2015/2017)

– BA: FileFax; longtime doc. mgmt/destruction vendor

– Dumpster-diver found documents

– No BAA; $31,000 (small matter, small fine)

• Moral of the Story:

– Getting BAAs may require analysis of old relationships

– Children’s had zero responsibility for the breach or

connection to the discovery, but that’s who OCR could go

after

Recent HIPAA Breaches

• Memorial (FL) Healthcare System (2011/2017)

– Affiliated physician staffs accessing wrong PHI

– Departed employees access continued to be used

– Had policies, failed to implement and audit

– $5.5 Million

• Moral of the Story

– Having policies only good if you implement them

– Employees can be your biggest problem

– Control the other provider you let access your data

Recent HIPAA Breaches

• CardioNet (2012/2017)

– First wireless service provider breach (but breach was a

stolen laptop)

– Insufficient risk analysis/management

– $2.5 Million

• Moral of the Story:

– Do a good risk analysis, and be able to prove it

– OCR loves novelty

Recent HIPAA Breaches

• Memorial Hermann (2015/2017)

– Staff reported ID card fraud to law enforcement

– Named patient in press release

– $2.4 Million

• Moral of the Story:

– You can obey the law, even if it’s unpopular

– If you do any more, be EXTRA careful

– Defending yourself can be problematic

Recent HIPAA Breaches

• CareFirst BCBS (Maryland) (2014/2017)

– Hacker infiltrated CareFirst’s subscriber database

– Subscribers notified timely

– No OCR action, but subscribers sued (class action)

– Court did not dismiss: risk of future injury is enough

• Moral of the Story:

– Even if you survive OCR, you can still be sued

– Class action lawyers keep class-actioning

Ransomware

Ransomware

• Attacks on the rise

• Malware used to extract ransom payment in exchange

for unblocking an asset that belongs to the victim

• Crypto-ransomware-cryptor encrypts the victims files

and data and decryption can only be accomplished by

use of decryption key

• Decryption key provided, sometimes, after payment

of ransom

Source:

Kaspersky.com

Preventing Ransomware

• Educate

– Phishing and spear-phishing

• Regularly back up and verify restorability

– Backup to offline subsystem

• Protect all systems and devices

– System mapping vital to recovery

• Use and maintain security software

– Regularly patch applications and operating systems

– Update security application and its anti-malware database

OCR’s (incorrect) Guidance on

Ransomware• July 2016, OCR issues “Guidance” via a “Fact Sheet” on

HIPAA obligations in a ransomware situation

• “When electronic protected health information (ePHI) is

encrypted as the result of a ransomware attack, a breach has

occurred because the ePHI encrypted by the ransomware

was acquired (i.e., unauthorized individuals have taken

possession or control of the information), and thus is a

‘disclosure’ not permitted under the HIPAA Privacy Rule.”

• In most ransomware attacks, there is no possession or control

taken by the attacker (although control removed from owner)

• Be forewarned, though: this is OCR’s position.

Breach Planning:What to do before and after

Before A Breach

• Know your legal requirements (HIPAA and others)

• Know your data, threats, risks and vulnerabilities

– Risk Analysis

– Policies and Procedures

– Train Your Employees

– Be Prepared for a Breach (BIRT)

– Audit and Assess

• Consider Cyberliability Insurance

Risk Analysis Components

• Know what data matters

• Where your data resides

• Know how your data moves

• Know your vulnerabilities, threats, and risks

• Analyze and prioritize

• Execute current fixes and plan for future ones

• Lather, rinse, repeat

After a Breach

• Deploy BIRT:– Corrective measures

– Contact legal counsel

– Contact PR company

– Contact insurer

– Data breach notifications

– Credit monitoring/call centers

After a Breach

• Prepare for lawsuits and investigations

• Learn from mistakes that caused breach

• Learn from mistakes made reacting to it

• Re-conduct a risk analysis

Questions?

Lessons from

Breach Street:What you can learn from recent HIPAA

enforcement actions

Jeffery P. Drummond

Jackson Walker L.L.P.

2323 Ross Ave., Suite 600

Dallas, Texas 75201

jdrummond@jw.com• 214-953-5781

www.hipaablog.blogspot.com