9.1.1 Gaps in Protection

Yet Schefter and ESPN actually hadn’t violated the federal law. “HIPAA doesn’t apply to media who obtain medical records of others,” said Michael McCann, legal analyst for Sports Illustrated. “Invasion of privacy does, but 1st Amendment offers a good legal defense”—particularly in cases involving public figures.

HIPAA’s protections are limited—more so than most people realize. HIPAA and its cousin, the Health Information Technology for Economic and Clinical Health (HITECH) Act, are “downstream” data protection models, as described by Nicolas P. Terry, executive director of the Center for Law at Indiana University. “[W]hile upstream data protection models limit data collection, downstream models primarily limit data distribution after collection,” writes Terry.⁵ HIPAA/HITECH apply specifically to “covered entities” involved in the treatment and payment for healthcare services. They extend by contract to these entities’ “business associates.” The data by itself is not protected. Once health information escapes the confines of this very specific list of organizations—say, because of a data breach—there is little a patient can do to stop others from buying, selling, trading, or using it.

5. Nicholas P. Terry, “Big Data Proxies and Health Privacy Exceptionalism,” Health Matrix 24 (2014): 66.

In Florida, Pierre-Paul sued ESPN and Schefter, citing violations of the Florida medical privacy statute. However, the defendents pointed out that “Florida’s medical privacy law does not apply to the general public, including members of the media—it does not, as Plaintiff contends, essentially impose a world-wide prior restraint on the speech of any person who allegedly learns some medical information from a Florida-based health care provider.”⁶ The district court concurred.

6. Jason Pierre-Paul v. ESPN, Inc, No. 1:16-cv-2156 (S.D. Fla. 2016), http://thesportsesquires.com/wp-content/uploads/2014/05/307369385-Espn-s-Finger.pdf.

Pierre-Paul himself knew better than to accuse Schefter and ESPN of inappropriately reporting the fact of his amputation, proactively acknowledging that the information may have been “of legitimate public concern.” However, he alleged that “the Chart itself was not,” and that the publication of the actual photo from his medical record was an invasion of privacy.

“If the hospitalization of a public figure constituted authorization for the publication of that person’s medical records, then the right to privacy would be non-existent,” wrote Pierre-Paul’s legal team in court documents. “Indeed, public figures would hesitate to seek medical treatment, or be less likely to share certain information with health care professionals, out of fear that hospital personnel would sell their medical records to those who want to profit from the publication thereof (as ESPN did here), thereby negatively impacting their health.” Ultimately, Pierre-Paul and ESPN settled out of court, leaving several questions from their case unresolved.

9.1.2 Data Breach Perspectives

For Jackson Memorial Hospital, the Pierre-Paul disclosure was shameful, illegal, and cost two employees their jobs. For Schefter, tweeting Pierre-Paul’s medical information was considered by many to be accurate, timely, and relevant journalism—particularly given the importance of Pierre-Paul’s medical condition to his high-profile, public role. Regarding the photo of Pierre-Paul’s medical chart, Schefter said, “[I]n a day and age in which pictures and videos tell stories and confirm facts, in which sources and their motives are routinely questioned . . . this was the ultimate supporting proof.”⁷

7. Kevin Draper, “Jason Pierre-Paul Is Suing ESPN Because Its Reporting Was Too Accurate,” Deadspin, September 8, 2016, https://deadspin.com/jason-pierre-paul-is-suing-espn-because-its-reporting-w-1785963477.

In other words, the definition of a “data breach,” and the repercussions that follow, depend not just on what specific data was leaked but where it came from and how it came to be disclosed. Typically, there is a path of disclosure along which successive custodians—some authorized, some not—obtain and transfer protected data. In many cases, the path looks more like a tree because a single custodian may transfer the data to many others.

The question of who is an authorized or unauthorized custodian is tricky. A hospital might consider a third-party IT provider to be an authorized custodian, even though a patient might object. In some cases, the good of the public or a third party might outweigh the importance of the data subject’s privacy. The law often differs from the expectations of individuals along the path. As we will see, as data gets passed along, it can often seem like a game of telephone, where each data custodian imposes slightly different rules on the next party, and no one truly seems to be in control.

This has strange and confusing implications for data breach management. The same data may be exposed by two different organizations, but because they each have different relationships with the data subject, one is a data breach and one is not (as in the case of Jason Pierre-Paul, Jackson Memorial Hospital, and ESPN). Responders need to carefully consider not just how to respond to a data breach but whether a specific event “counts” as a data breach at all. When it comes to health information, this has become a very complicated question.

In this chapter, we’ll begin by covering the digitization of health information, which has paved the way for an increasing number of data breaches. We’ll touch on relevant parts of the HIPAA/HITECH regulations, which define prevention and response requirements for certain types of health-related breaches. (For simplicity, the discussion in this chapter is focused primarily on the U.S. HIPAA/HITECH laws, but many of the same issues apply to health data protection regulations in other jurisdictions.)

Later in this chapter, we’ll discuss the way data can escape from HIPAA/HITECH regulation or bypass it in the first place. We’ll analyze challenges specific to the healthcare environment that contribute to the risk of data breaches, including complexity, vendor-managed equipment, a mobile workforce, and the emergence of the cloud. Finally, we’ll enumerate the negative impacts of a breach and show how lessons learned from handling medical errors can help us resolve data breaches, too.

9.2.1 Data Smorgasbord

Healthcare organizations store almost every kind of sensitive information imaginable: Social Security numbers (SSNs), billing data, credit card numbers, driver’s license numbers (and often high-resolution scans of IDs), insurance details, and, of course, medical records. In fact, healthcare providers are an excellent source of “fullz” (see § 5.3.1) since they tend to store a wide range of identification information, financial data, and contact details all in one place.

“The medical record is the most comprehensive record about the identity of a person that exists today,” says Robert Lord, founder of Protenus, which offers privacy monitoring software for healthcare organizations.¹¹

11. Mariya Yao, “Your Electronic Medical Records Could Be Worth $1000 to Hackers,” Forbes, April 14, 2017, https://www.forbes.com/sites/mariyayao/2017/04/14/your-electronic-medical-records-can-be-worth-1000-to-hackers/#4be095ad1856.

Criminals can split up the information contained within medical records and sell different pieces separately. For example, “[o]n the underground market forum AlphaBay, the user Oldgollum sold 40,000 medical records for $500 but specifically removed the financial data, which was sold separately,” reported McAfee Labs in 2016. “Oldgollum is essentially double-dipping to get the most from both markets.” McAfee’s team pointed out that the price of medical data is “highly variable,” in part because sellers can break up stolen data and sell the pieces for different purposes.¹²

12. C. Beek, C. McFarland, and R. Samani, Health Warning: Cyberattacks are Targeting the Health Care Industry (Santa Clara: McAfee, 2016), https://www.mcafee.com/us/resources/reports/rp-health-warning.pdf.

When the health insurance giant Anthem reported a breach of 78.8 million records in 2015, the stolen data included “names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data.” Anthem was careful to report that no evidence indicated that “medical information such as claims, test results, or diagnostic codes were targeted or obtained.”¹³ Even so, the company was hit with a record $115 million settlement for the ensuing class-action lawsuit. The settlement fund was established to cover costs of credit monitoring and out-of-pocket expenses for victims.¹⁴

13. Anthem, “Statement Regarding Cyber Attack against Anthem,” press release, February 5, 2015, https://www.anthem.com/press/wisconsin/statement-regarding-cyber-attack-against-anthem.

14. Beth Jones Sanborn, “Landmark $115 Million Settlement Reached in Anthem Data Breach Suit, Consumers Could Feel Sting,” Healthcare IT News, June 27, 2017, http://www.healthcareitnews.com/news/landmark-115-million-settlement-reached-anthem-data-breach-suit-consumers-could-feel-sting.

Anthem is a prime example that illustrates how healthcare providers and business associates are on the hook not just for potential breach of health data, but also the identification and financial data that is typically bundled with it.

Due to the volume and value of the data that healthcare providers hold, they must contend with many of the same risks as financial institutions and government agencies—plus, they carry the additional risk of handling extensive volumes of personal health data.

9.2.2 A Push for Liquidity

Health data has become increasingly “liquid,” stored in compact, structured formats that facilitate transfer and analysis. Once upon a time, healthcare providers stored your information in filing cabinets and accessed it when needed for treatment purposes. Now your data has been converted to electronic bits and bytes.

In the past two decades, healthcare has witnessed a technology revolution. Today, health-care providers’ computer systems are increasingly interconnected; many people have access to health-related data for purposes of treatment, cost/risk analysis, or medical research. Data is copied over and over, scattered throughout the world, often without the knowledge of the care provider, let alone the patient.

The digitization of personal health data and widespread adoption of electronic medical record (EMR) systems set the stage for large health data breaches. In 2009, the U.S. government passed the HITECH Act, which provided strong financial incentives for shifting to electronic systems. Beginning on January 1, 2015, healthcare providers were required to demonstrate “meaningful use” of EMR systems in order to maintain their Medicare reimbursement levels. As a result, many clinics rushed to transition from paper to electronic records in order to meet deadlines—and overlooked security.

When the HITECH Act passed, technology advocates celebrated, saying that electronic health records could save “tens of billions of dollars each year from reduced paperwork, faster communication and the prevention of harmful drug interactions.” Data mining could also lead to better decision making and treatment.¹⁵

15. Robert O’Harrow Jr., “The Machinery Behind Health-Care Reform,” Washington Post, May 16, 2009, http://www.washingtonpost.com/wp-dyn/content/article/2009/05/15/AR2009051503667.html.

“Finally, we’re going to have access to millions and millions of patient records online,” said Harvard professor and physician Blackford Middleton—a statement that undoubtedly sent chills down the spine of any cybersecurity professional who read his quote in the Washington Post.¹⁶ Nearly a decade later, the digitization of health records has spurred the development of groundbreaking healthcare technologies—and eroded the privacy of hundreds of millions of data breach victims.

16. O’Harrow, “Machinery Behind Health-Care Reform.”

9.2.3 Retention

Medical records stick around. While there are no universal guidelines for medical record retention, most states have a minimum retention requirement of five to ten years.¹⁷ It is safe to say, however, with the conversion from paper to electronic format, many care providers have little incentive to clean out their file repositories. Indeed, with the emergence of the big data analytics industry, many organizations retain personal health data indefinitely since it can be sold or traded for valuable goods and services.

17. Health Information & the Law, Medical Record Retention Required Health Care Providers: 50 State Comparison, accessed January 17, 2018, http://www.healthinfolaw.org/comparative-analysis/medical-record-retention-required-health-care-providers-50-state-comparison.

9.2.4 A Long Shelf Life

Stolen health data can be useful for years after a breach—even a lifetime. “The value of a medical record endures far beyond that of a card,” says Douville. So can the harm, as illustrated by the case of “Frances.”

“PPL WORLD WIDE,” announced a Facebook post in January 2014. “FRANCES . . . IS HPV POSITIVE!” The posting included Frances’s full name and date of birth, “along with the revelation that she had human papillomavirus, a sexually transmitted disease that can cause genital warts and cancer,” reported NPR. “It also . . . ended with a plea to friends: ‘PLZ HELP EXPOSE THIS HOE!’”¹⁸

18. Charles Ornstein, “Small Violations of Medical Privacy Can Hurt Patients and Erode Trust,” NPR, December 10, 2015, http://www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-of-medical-privacy-can-hurt-patients-and-corrode-trust.

Poor Frances had been treated at a local hospital, where a technician who knew her had access to her record and posted her diagnosis on Facebook. After Frances reported the incident to the nursing supervisor, the hospital sent her a letter of apology. But for Frances, the damage was done: “It’s hard to even still deal with it,” she said. “I’ll spend that extra gas money to go into another city to do grocery shopping or stuff like that, just so I don’t have to see anybody from around the neighborhood.”¹⁹

19. Ornstein, “Small Violations.”

Once stolen, health information can’t be changed or quickly devalued like other forms of data. You can change your payment card number after a data breach, but you can’t change your medical records.

In short, a data breach involving personal health information can come back to haunt patients for their entire lives.

9.3.1 Protecting Personal Health Data

Our instinct to protect the privacy of health information goes back to the very founding of Western medicine. For more than two thousand years, physicians have sworn to keep patient health information secret. The earliest versions of the Hippocratic Oath included the line:

“Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.”²⁰

20. Michael North trans., “The Hippocratic Oath,” National Library of Medicine, 2002, https://www.nlm.nih.gov/hmd/greek/greekoath.html.

The obligation to protect patient confidentiality remains today and is explicitly included in the AMA Code of Medical Ethics and similar documents used by medical schools.

At the same time, personal health information can be valuable for researchers, employers, and society at large—as well as media outlets, data brokers, and businesses seeking to make a profit. Greater connection and access to medical records can lead to better treatment for patients, but it has also introduced grave privacy concerns.

In 1997, the secretary of the U.S. Department of Health and Human Services (HHS), Donna E. Shalala, gave an impassioned—and timely—speech at a National Press Club luncheon:²¹

21. “Health Care Privacy,” C-SPAN video, 53:05 min, posted, July 31, 1997, https://www.c-span.org/video/?88794-1/health-care-privacy&start=1629.

Until recently, at a Boston-based HMO, every single clinical employee could tap into patients’ computer records and see detailed notes from psycho-therapy sessions. In Colorado, a medical student copied countless health records at night and sold them to medical malpractice attorneys looking to win easy cases. And, in a major American city, a local newspaper published information about a congressional candidate’s attempted suicide. Information she thought was safe and private at a local hospital. She was wrong.

What about the rest of us? When we give a physician or health insurance company precious information about our mood or motherhood, money or medication, what happens to it? As it zips from computer to computer, from doctor to hospital, who can see it? Who protects it? What happens if they don’t?

. . . We are at a decision point. Depending on what we do over the next months, these revolutions in health care, communications, and biology could bring us great promise or even greater peril. The choice is ours. We must ask ourselves, will we harness these revolutions to improve, not impede, our health care? Will we harness them to safeguard, not sacrifice, our privacy? And will we harness these revolutions to strengthen, not strain, the very life blood of our health care system, the bond of trust between a patient and a doctor?

The fundamental question before us is: Will our health records be used to heal us or reveal us? The American people want to know. As a nation, we must decide.

Secretary Shalala presented recommendations for protecting healthcare information, which were based upon five key principles:

• Boundaries: Health information should be used for health purposes, with a few carefully controlled exceptions.

• Security: Entities that create, store, process, or transmit health information should take “reasonable steps to safeguard it” and ensure it is not “used improperly.”²²

  22. U.S. Department of Health and Human Services, “Testimony of Secretary of Health and Human Services, September 11, 1997,” ASPE, February 1, 1998, https://aspe.hhs.gov/testimony-secretary-health-and-human-services-september-11-1997.

• Consumer Control: Individuals should have access to their personal health records, including the ability to review the content and access records, and the ability to correct any errors.

• Accountability: Entities that misuse or fail to properly safeguard personal health information should be held accountable, through “real and severe penalties for violations . . . including fines and imprisonment.”

• Public Responsibility: Personal health information can and should be disclosed in a controlled manner for the purposes of public health, research, and law enforcement purposes.

The balance between security and public disclosure has been particularly tricky, as we will see in the sections on deidentification and reidentification.

Ultimately, due to the efforts of Secretary Shalala and many others, the HIPAA Security Rule and Privacy Rule were issued and became the foundation for health information security, privacy, and breach response in the United States.

9.3.2 HIPAA Had “No Teeth”

The HIPAA Security Rule went into effect on April 1, 2005 (or a year later for smaller entities). It required all covered entities to establish administrative, technical, and physical controls designed to safeguard the security of PHI. This sounded good, but in practice, HIPAA was not effectively enforced. Moreover, it carried no requirement to notify affected persons in the event of a data breach. As a result, healthcare breaches were common but rarely reported or even discussed outside tight-knit information security circles.

In this section, we’ll discuss the impact of HIPAA on data breach preparation and response, from the period between 2005 and 2009 (prior to the implementation of the HITECH Breach Notification Rule). This will set the stage for discussing the impacts of the rule in the next section.

9.3.3 The Breach Notification Rule

That changed in 2009, with passage of the HITECH Act. Among other things, HITECH introduced the HIPAA Breach Notification Rule.³⁰ An interim rule was released in 2009 and finalized with the release of the Omnibus HIPAA Rulemaking in early 2013. The final rule includes the definition of a “breach,” explicit notification requirements, and (in some cases) public disclosure requirements.

30. 45 C.F.R. §§164.400–414.

9.3.3.3 The Wall of Shame

The HITECH Act requires the HHS secretary to “post a list of breaches of unsecured protected health information affecting 500 or more individuals.”³³ The list is currently posted as a searchable web application, which lists (among other things) the name of each covered entity, breach submission date, number of individuals affected, and a brief summary of the breach. Now, in addition to financial penalties and potential media attention, organizations that experience a breach are immortalized on what security professionals colloquially referred to as the “Wall of Shame,” as shown in Figure 9-1.

33. U.S. Department of Health and Human Services, “Cases Currently Under Investigation,” Office for Civil Rights, accessed October 14, 2016, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

9.3.4 Penalties

The HITECH Act also requires HHS to issue a dramatic increase in financial penalties for violations and to impose penalties for willful neglect. “Prior to the enactment of the HITECH Act, the imposition of [civil money penalties] under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year,” advised the law firm McGuire Woods in a legal alert. “[T]he amount of the penalty increases with the level of culpability, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year.”³⁵ (Note that the penalties were further increased over time.)

35. McGuire Woods, “HIPAA Omnibus Final Rule Implements Tiered Penalty Structure for HIPAA Violations,” McGuire Woods Legal Alert, February 14, 2013, https://www.mcguirewoods.com/Client-Resources/Alerts/2013/2/HIPAA-Omnibus-Final-Rule-Implements-Tiered-Penalty-Structure-HIPAA-Violations.aspx.

The HITECH Act establishes four categories of culpability:

• Unknowing

• Reasonable cause

• Willful neglect - corrected within 30 days of discovery

• Willful neglect - not corrected within 30 days of discovery

There are also four corresponding tiers of penalties, which increase based on the level of culpability. “Our observation has been that HHS tends to give bigger fines when people are not trying. You’d better be trying, or you’re going to get in big trouble,” said Michael Ford, information security officer for the Boston Children’s Hospital.³⁶

36. Michael Ford, interview by the author, June 20, 2017.

The Office for Civil Rights (OCR), charged with actually conducting investigations and levying fines, met with shocking pushback in one of its first investigations. Cignet Health of Temple Hills, Maryland, was reported to the OCR after refusing to release the medical records of 41 patients, in accordance with HIPAA requirements. Moreover, when the OCR contacted Cignet to investigate, “They failed to appear, they ignored us, they refused to engage with us to have us understand why they were doing this,” said OCR Director Georgina Verdugo. The agency bestowed Cignet Health with the dubious honor of the first HIPAA fine to be imposed on a covered entity, announced on February 22, 2011: $4.3 million total, which included $1.3 million for failing to release the patient medical records, and a whopping $3 million because “Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that . . . failure to cooperate was due to Cignet’s willful neglect to comply with the privacy rule.”³⁷

37. “HHS Imposes a $4.3 Million Civil Money Penalty for Violations of the HIPAA Privacy Rule,” Business-Wire, February 22, 2011, https://www.businesswire.com/news/home/20110222006911/en/HHS-Imposes-4.3-Million-Civil-Money-Penalty.

Just two days later, the OCR announced a settlement agreement with Massachussetts General Hospital, which required the hospital to pay $1 million after an employee left documents containing PHI on the subway.³⁸ The OCR said in its press release:

38. Shannon Hartsfield Salimone, “HIPAA Enforcement Escalates: What Does This Mean for the Health-care Industry?” ABA Health eSource 7, no. 8 (April 2011), https://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_1104_salimone.html.

We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.³⁹

39. Chester Wisniewski, “HIPAA Fines Prove the Value of Data Protection,” Naked Security by Sophos, February 25, 2011, https://nakedsecurity.sophos.com/2011/02/25/hipaa-fines-prove-the-value-of-data-protection.

By 2016, the media was reporting that the OCR had “stepped up its enforcement activities in recent years” and had become “more aggressive in enforcing HIPAA regulations.” In 2016 alone, the agency received payments in excess of $22 million, including a record $5.5 million penalty on Advocate Health System for three data breaches that affected millions of patients.

“When you start seeing multiple-million-dollar fines . . . you get the feeling there’s teeth there,” said Ford.⁴⁰

40. Ford interview.

9.3.5 Impact on Business Associates

The HITECH Act dramatically changed the requirements for “business associates” of covered entities. Suddenly, attorneys, IT firms, and vendors around the country were themselves required to comply with HIPAA security and privacy rules, report breaches of PHI to the covered entities that they served, and make sure that any subcontractors they leveraged were contractually obligated to do the same.

It was an important leap forward for patient privacy—but the estimated 250,000 to 500,000 business associates of covered entities were not ready. According to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) in December 2009: “[B]usiness associates, those who handle private patient information for healthcare organizations—including everyone from billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription vendors—are largely unprepared to meet the new data breach-related obligations included in the HITECH Act.”⁴¹

41. HIMSS Analytics and ID Experts, Evaluating HITECH’s Impact on Healthcare Privacy and Security (Burlington, VT: HIMSS Analytics, November 2009), https://web.archive.org/web/20111112031528/ http://www.himssanalytics.org/docs/ID_Experts_111509.pdf.

In fact, many business associates had no idea that they were suddenly required to adhere to this new regulation. The HIMSS study revealed that “[o]ver 30 percent of business associates surveyed did not know the HIPAA privacy and security requirements have been extended to cover their organizations.”⁴²

42. HIMSS Analytics and ID Experts, Evaluating HITECH’s Impact.

At the time, HIMSS found that more than half of the healthcare entities surveyed said that they would “renegotiate their business associate agreements” as a result of the HITECH Act, and nearly half “indicated that they would terminate business contracts for violations.” However, in the years immediately following passage of the HITECH Act, business associates were rarely subjected to audits, and oversight was limited.

9.4.1 Trading Breached Data

In the United States, health information is protected by HIPAA only when it is in the hands of a “covered entity” or “business associate.” News outlets such as ESPN, for example, aren’t included, as the vignette at the beginning of the chapter showed.

While the legality of leveraging stolen data is questionable at best, the lack of global legal standardization means that there are many jurisdictions where U.S. data protection laws simply would not apply. Furthermore, an increasingly complex web of data brokers facilitates data laundering, which can enable stolen data to reenter legitimate markets. See Chapter 2, “Hazardous Material,” for details.

9.4.2 Mandated Information Sharing

PDMPs are a prime example of how legally mandated information sharing increases the risk of data breaches. These databases are treasure troves of health information that are designed to be widely accessible for the purposes of reducing drug abuse. Forty-nine states and the District of Columbia and the territory of Guam have a PDMP. While the details vary from state to state, typically doctors and pharmacists are required to report prescriptions of schedule II-IV or II-V drugs to the state. The state maintains a database that includes extensive details of each person, along with detailed prescription records.

Doctors and pharmacists are required to check the PDMP database prior to prescribing or dispensing medication. This means that the state PDMP databases are typically available online to tens of thousands of doctors, pharmacists and their staff, and often law enforcement agencies, state Medicaid administrators, and others. The database may also be accessible to practitioners in neighboring states, such as Maryland’s PDMP, which is available to prescribers in Delaware, Washington, DC, West Virginia, Virginia, and Pennsylvania. In the New York State, the Bureau of Narcotic Enforcement advertises that it “provides millions of secure Official New York State Prescriptions annually to over 95,000 prescribing practitioners across the State.”⁴³

43. New York State Department of Health, Bureau of Narcotic Enforcement, accessed January 18, 2018, https://www.health.ny.gov/professionals/narcotic (accessed January 18, 2018).

The fact that PDMPs are so widely accessible leaves them at high risk of unauthorized access. Consider that any medical practitioner around the state who has a PDMP password stolen or a computer infected with malware can be a gateway to this extensive database. By their nature, the PDMP databases are directly accessible via the web and typically protected only by single-factor authentication (username and password) chosen by the practitioner.

Virginia residents discovered in 2009 that their records had been accessed when the state Prescription Monitoring Program (PMP) website was defaced, and the hacker left the following message:⁴⁴

44. Cary Byrd, “Stolen Files Raise Issues About Prescription Drug Monitoring Programs,” eDrugSearch, May 11, 2009, https://edrugsearch.com/stolen-records-raise-questions-about-prescription-drug-monitoring-programs.

In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. . . . For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid. Now I don’t know what all this s—is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name, age, address, social security #, driver’s license #).

Virginia’s governor, Tim Kaine, elected not to pay the ransom. Two months later, the state formally sent breach notification letters to more than 530,000 people whose SSNs may have been stored on the system.⁴⁵

45. Bill Sizemore, “Virginia Patients Warned about Hacking of State Drug Web Site,” Virginia Post, June 4, 2009, http://hamptonroads.com/2009/06/oficials-hacker-may-have-stolen-social-security-numbers.

At the time, Virginia had a breach notification law that applied to SSNs, credit card numbers, and similar data, but it did not include health or medical data (a breach notification law for medical information was subsequently passed in 2010, although it applies only to state government agencies or organizations “supported . . . by public funds”).⁴⁶ As a result, the state did not notify all patients with data in the hacked system. Instead, only persons who had their SSNs in the database were notified. An FAQ on the state’s website explained, “If you do have a prescription record in the PMP and it did not contain a nine-digit number that could be a Social Security number, you will not be sent a letter.”⁴⁷

46. Va. Code Ann. § 32.1-127.1:05, Breach of Medical Information Notification (2010), https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1:05.

47. Virginia Department of Health Professionals, “Questions and Answers: Updated June 5, 2009,” accessed January 18, 2018, https://web.archive.org/web/20090618021638/ http://www.dhp.virginia.gov/misc_docs/PMPQA060509.pdf.

9.4.3 Deidentification

The HIPAA Privacy Rule allows covered entities and business associates to “deidentify” PHI and subsequently share the resulting data with anyone, sans HIPAA regulations. “Deidentification” in this context refers to the process of modifying data sets of medical information so that there is a low risk that individual subjects can be identified.

Under HIPAA, PHI can be deidentified in one of two ways, as illustrated in Figure 9-2 and described in the following list:

• Expert Determination: An expert uses “statistical and scientific principles” to determine that the risk of individual identification is very low.

• Safe Harbor: Eighteen types of identifying information are removed from the record. Examples include names, email addresses, facial photographs, SSNs, and more.

Theoretically, deidentifying data enables organizations to retain much of the value of medical datasets, while reducing the risk of privacy injury for individual subjects. According to the HHS, “the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.”⁴⁸

48. U.S. Department of Health and Human Services, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, accessed January 18, 2018, https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.

The OCR specifically refers to deidentification as one of the factors to be considered in evaluating whether a cybersecurity incident is a breach (and therefore subject to the breach notification laws). When assessing the risk of a breach, organizations are required to consider the “types of identifiers” and “likelihood of re-identification.”⁴⁹ Since a breach under the HITECH Act is defined as “an impermissible use or disclosure of protected health information” held by a covered entity or business associate, unauthorized access to de-identified information is not typically considered a breach.

49. U.S. HHS, “Breach Notification Rule”.

Deidentification is one of the ways that health data can “escape” the HIPAA-regulated environment. Deidentified data can be freely sold, transferred, or exposed to the world without regulation under HIPAA. However, the HHS website clearly explains that “de-identified data . . . retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds.”⁵⁰ If sensitive data were deidentified, transferred to a third party, and subsequently reidentified, then the original sensitive data could potentially exist outside of a HIPAA-regulated organization.

50. U.S. HHS, Guidance.

9.4.4 Reidentification

“Reidentification,” is the process of adding identifying data back to previously deidentified data sets. Reidentification may be done for a variety of reasons: for example, to match up records across two or more data sets; for ethical notification of subjects in the event that a research study turns up important findings; or for less ethical concerns such as marketing and personal data mining. To support reidentification, HIPAA explicitly permits entities to replace identifying information with a code. The OCR is clear that “[i]f a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI.”⁵¹

51. U.S. HHS, Guidance.

While explicit identifiers can be removed, the very factors that make data sets valuable for researchers (and commercial entities) can also be used to define unique profiles, and ultimately reidentify users. Researchers have demonstrated that reidentification can be much easier than people realize. Specific health conditions, treatment dates and times, names of physicians, location of treatment, and prescription histories function like a digital health fingerprint.

“Health information . . . from sleep patterns to diagnoses to genetic markers . . . can paint a very detailed and personal picture that is essentially impossible to de-identify, making it valuable for a variety of entities such as data brokers, marketers, law enforcement agencies, and criminals,” said Michelle De Mooy, the director of the Privacy & Data Project at the Center for Democracy & Technology.⁵²

52. Adam Tanner, “The Hidden Trade in Our Medical Data: Why We Should Worry,” Scientific American, January 11, 2017, https://www.scientificamerican.com/article/the-hidden-trade-in-our-medical-data-why-we-should-worry.

9.4.5 Double Standards

Reidentification is not a crime. While a few states require purchasers to sign or acknowledge a “data use agreement” in order to receive “deidentified” information, HIPAA does not require it for transfer of deidentified data. The result is that a covered entity (or business associate) can deidentify data in compliance with the law and transfer it to a third party without restriction. The third party could then attempt to reidentify the data. If successful, the third party would then be in possession of the same data as the covered entity, sans HIPAA/HITECH regulation.

Imagine that you suddenly discover, to your horror, that your organization accidentally posted people’s names and known medical problems on the web. Is that a data breach? It depends. If you work for a healthcare provider, then HIPAA/HITECH applies to you, and you would need to consider the definition of a breach in HIPAA/HITECH. On the other hand, if you work for a marketing firm that has re-identified data, it might be that no relevant law applies to you.

That means that two different organizations could expose the exact same data, and in one case it would be a “breach,” and in the other case it wouldn’t—simply by virtue of how the databases came to exist.

9.4.6 Beyond Healthcare

Fitness trackers, mobile health apps, paternity tests, social media sites, and many other emerging technologies typically fall outside the bounds of the caregiver/patient relationship, and therefore are not covered by regulations such as HIPAA. These “noncovered entities” (NCEs) often collect extensive health and medical-related details about individuals, which they can share or sell it with few restrictions.

The proliferation and spread of health information through NCEs increases the risk of personal health data exposure. NCEs are typically not bound by specific regulations that require them to safeguard health data. The HHS reported in 2016 that “NCEs have been found to engage in a variety of practices such as online advertising and marketing, 139 commercial uses or sale of individual information, and behavioral tracking practices, all of which indicate information use that is likely broader than what individuals would anticipate.”⁵³

53. U.S. Department of Health and Human Services, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA (Washington, DC: HHS, June 2016), https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf.

Absent regulations and oversight requiring specific cybersecurity safeguards, NCEs can be particularly high-risk environments. Since there are no standard requirements for incident detection methods and oversight, a high percentage of potential breaches may simply go undetected in these environments. A 2012 study of personal health record (PHR) vendors by Maximus Federal Services found that “[o]nly five of the [41] PHR vendors surveyed referenced audits, access logs, or other methods to detect unauthorized access to identifiable information in PHRs.”⁵⁴

54. Maximus Federal Services, Non-HIPAA Covered Entities: Privacy and Security Policies and Practices of PHR Vendors and Related Entities Report, December 13, 2012, https://www.healthit.gov/sites/default/files/maximus_report_012816.pdf.

Subjects often do not realize that NCEs have great freedom to share or sell their health information. For example, in May 2017 attorney Joel Winston pointed out that by submitting DNA samples to the popular service AncestryDNA for analysis, users “grant[ed] AncestryDNA and the Ancestry Group Companies a perpetual, royalty-free, world-wide, transferable license to use your DNA . . . and to use, host, sublicense and distribute the resulting analysis to the extent and in the form or context we deem appropriate on or through any media or medium and with any technology or devices now known or hereafter developed or discovered.”⁵⁵

55. Ancestry.com, “AncestryDNA Terms and Conditions (United States),” accessed January 18, 2018, https://web.archive.org/web/20170521230901/ https://www.ancestry.com/dna/en/legal/us/termsAndConditions.

“[H]ow many people really read those contracts before clicking to agree? And how many relatives of Ancestry.com customers are also reading?” asked Winston. AncestryDNA changed its terms of service shortly thereafter.

Health information persists as an asset—and a risk—even after a company merges, liquidates, or is acquired. AncestryDNA itself takes pains to point this out in its current privacy statement:⁵⁶

56. Ancestry.com, “Ancestry Privacy Statement,” accessed January 18, 2018, https://www.ancestry.com/dna/en/legal/us/privacyStatement#3.

[A]s our business continues to grow and change, we might restructure, buy, or sell subsidiaries or business units. In these transactions, customer information is often one of the transferred assets, remaining subject to promises made in then prevailing privacy statements. Also, in the event that AncestryDNA, or substantially all of its assets or stock are acquired, transferred, disposed of (in whole or part and including in connection with any bankruptcy or similar proceedings), personal information will as a matter of course be one of the transferred assets.

NCEs are not bound by the HIPAA Breach Notification Rule, and therefore are not required to report a “breach” of health-related data under HIPAA/HITECH. However, the Federal Trade Commission’s Health Breach Notification Rule, which went into effect in 2010, does apply to vendors of personal health records, their service providers, or “related entities.” This rule requires organizations to notify affected U.S. citizens or residents, the FTC, and in certain cases, the media, when there has been “unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record.”⁵⁷ The FTC may also investigate when a suspected breach indicates that an organization may have engaged in “unfair or deceptive acts or practices” since that is part of the FTC’s core mandate.⁵⁸

57. Federal Trade Commission, “Health Breach Notification Rule: 16 CFR Part 318,” accessed January 18, 2018, https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/health-breach-notification-rule.

58. Thomas Rosch, Deceptive and Unfair Acts and Practices Principles: Evolution and Convergence (Washington, DC: FTC, May 18, 2007), 1, https://www.ftc.gov/sites/default/files/documents/public_statements/deceptive-and-unfair-acts-and-practices-principles-evolution-and-convergence/070518evolutionandconvergence_0.pdf.

9.5.1 More Breaches? Or More Reporting?

The website InformationIsBeautiful.net has an interactive page called “World’s Biggest Data Breaches & Hacks: Selected Losses Greater Than 30,000 Records.” As shown in Figure 9-3, the chart illustrates data breaches by year, filtered in this case to show only healthcare industry breaches. The size of each bubble indicates the approximate number of exposed records.

What’s striking is the absence of major breaches reported before 2009: The earliest major breach was the Virginia PMP, discussed earlier in the chapter. After that, AvMed, Inc. reported a theft of two laptops that occurred in December 2009 and affected 1.2 million patients, and subsequently Affinity Health Plan, Inc. reported in April 2010 that the data of more than 400,000 patients may have been exposed on an office copier hard drive that was not properly wiped before reuse.

Of course, prior to September 23, 2009, there was no legal definition of a “breach” of protected health information, at least under federal law. There was no Breach Notification Rule that explicitly required organizations to notify affected persons. There was no requirement to notify the media or HHS. There was no “Wall of Shame” where the public could view reported breaches. There was no threat of a fine if an organization did not notify affected parties quickly enough.

September 2009 (the effective date of the Breach Notification Rule) and February 2010 (the date after which organizations could be sanctioned for failing to provide proper notice) introduced massive regulatory changes. These changes almost certainly triggered a substantial rise in the number of health data breaches that were reported. Furthermore, the presumption of a breach incentivized many organizations to invest in network monitoring and logging in a way they never had before, giving these organization new capability to detect data breaches themselves.

In other words, the number of healthcare data breaches that occurred did not necessarily rise. Instead, for the first time, the health industry had defined what a breach was and gave organizations incentives to detect and report data breaches. Suddenly, the public had a glimpse of the rest of the iceberg.

9.5.2 Complexity: The Enemy of Security

Why so many healthcare breaches? As the issue erupted into the public spotlight, industry cybersecurity professionals wrestled with a myriad of challenges. “There are two things that make health care such an attractive target,” explained Larry Pierce, manager of information security and enterprise management at Atlantic Health System. “One is the value of the data, and two is that safeguards and protections are sometimes not in place to protect these environments.”⁶¹

61. Larry Pierce, interview by author, June 20, 2017.

“The worst enemy of security is complexity,” wrote Bruce Schneier, the renowned security expert, in 1999.⁶² If that’s the case, then healthcare organizations have a powerful enemy, indeed.

62. Bruce Schneier, “A Plea for Simplicity: You Can’t Secure What You Don’t Understand,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

In the next few sections, we will explore specific factors that contribute to the epidemic of healthcare data breaches: the complexity of their IT environments, third-party dependencies, the lack of a perimeter, a mobile workforce, the emergence of personal mobile devices and social media, increasing reliance on the cloud, and more. Technological advances in each of these areas have increased the risk of data breaches and also changed how we respond.

From a veritable jungle of specialized software applications to unique staffing issues and the emergence of Internet of Things (IoT), healthcare technology has become wildly complex. As we will see, it’s hard for security professionals to keep up.

9.5.3 Third-Party Dependencies

Healthcare organizations rely heavily on third parties to supply, manage, and maintain specialized software and equipment. As a result, they inherit security risks introduced by outside manufacturers and vendors. In this section, we will review the risks introduced by clinical equipment and vendor remote access, and highlight critical inconsistencies between the way the HHS and the Food and Drug Administration (FDA) regulate data breaches. Along the way, we will provide tips for reducing security risks introduced by third parties and discuss the impact of these organizations on data breach response.

9.5.4 The Disappearing Perimeter

“The classic [security] model of an organization is that you have a single connection to the Internet, and you have a firewall. You open the ports for the things you want to allow, and you close the ports that you don’t want to allow. You open the gate to the castle, and you close the gate to the castle,” Ford explained during our interview. “Now, that concept is gone.”

Ford was referring to the perimeter security model, pioneered by information security experts Bill Cheswick and Steve Bellovin, in their seminal 1994 book, Firewalls and Internet Security: Repelling the Wiley Hacker. In their book, the duo lay out a clear model for securing networks by establishing a strong perimeter. “If it is too difficult to secure each house in a neighborhood, perhaps the residents can band together to build a wall around the town,” they wrote. “Alert, well-trained guards can be posted at the gates while the people go about their business. . . . This approach is called perimeter security.” Essentially, network administrators build a virtual wall around an organization’s network by restricting the flow of traffic, and install a firewall to function as the gate. “To be effective,” the authors caution, “the wall should go all the way around the town, and be high enough and thick enough to withstand attack. It also must not have holes or secret entrances that allow an attacker to creep in past the guards.”⁷⁶

76. W. R. Cheswick, S. M. Bellovin, and A. D. Rubin, Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. (Boston: Addison-Wesley Professional, 2003), 11.

The perimeter security model has been used as the basis for securing many organizations over the years, and it is still used today. However, Ford’s argument is that the model is no longer effective for large segments of the healthcare industry, particularly hospital networks, because the “perimeter” in these environments no longer exists. He cites “the disappearing perimeter” as one of the key drivers behind health industry data breaches.

To start, healthcare providers have long had a porous physical perimeter: They host patients throughout their facilities, including exam rooms, in-patient wards, cafeterias, operating rooms and laboratories (again, compare this with banks, which have specific, limited areas that are accessible to the public). While this physical pourousness is nothing new, the access to data in these environments has expanded exponentially over the years.

Sensitive data is instantaneously accessible from laptops attached to rolling carts, tablets, and workstations distributed over a large geographical area. Network jacks throughout the facilities are designed to connect medical equipment, clinical systems, security cameras, and more—and potentially provide a point of access for unauthorized persons. Ubiquitous wireless networks facilitate the use of mobile devices for clinicians, as well as guest access for patients and their families.

The virtual perimeter has become increasingly porous, too. Staff members constantly receive emails that may contain malicious attachments or links. “The user opens it [and gets infected], and now there’s a beachhead internally which opens a command-and-control channel out,” explains Ford.⁷⁷

77. Ford interview.

Multiple healthcare facilities are connected using site-to-site virtual private networks (VPNs), enabling care providers to share data and network resources. Vendor networks, too, are connected, through site-to-site VPNs or other remote connections.

In this manner, the “village” of a hospital has grown to encompass so many other villages and towns that the perimeter security model no longer makes sense. Indeed, Cheswick and Bellovin themselves called attention to this issue: “The perimeter approach is not effective if the town is too large.”⁷⁸

78. Cheswick, Bellovin, and Rubin, Firewalls and Internet Security, 11.

9.6.1 What’s the Harm?

Health data breaches fuel crimes such as:

• Medical identity theft, where people obtain fraudulent medical care, insurance coverage, or prescriptions using the personal information of a victim. In addition to financial loss and further data disclosure, this can result in mistakes in the victim’s medical records, such as the addition of another person’s ailments or physical characteristics. In one study conducted by the Ponemon Institute, a majority of healthcare providers did not have any process for correcting errors in medical records.⁹²

  92. Ponemon Institute LLC, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data (research report sponsored by ID Experts, May 2016), https://media.scmagazine.com/documents/232/sixth_annual_benchmark_study_o_57783.pdf.

• Insurance fraud specifically refers to misuse related to a victim’s health insurance coverage. This type of fraud can result in victims being denied coverage when they need it. “Patients who have private health insurance often have lifetime caps or other limits on benefits under their policies. So every time a false claim is paid in a patient’s name, the dollar amount counts toward that patient’s lifetime or other limits,” reports the National Health Care Anti-Fraud Association. “This means that when a patient legitimately needs his or her insurance benefits the most, they may have already been exhausted.”⁹³ In the United States, where medical treatment and insurance is decentralized, fraud is especially difficult to detect and prevent.

  93. National Health Care Anti-Fraud Association, “The Challenge of Health Care Fraud,” accessed January 17, 2018, https://www.nhcaa.org/resources/health-care-anti-fraud-resources/the-challenge-of-health-care-fraud.aspx.

• Drug fraud, which is a specific outcome of medical identity theft, can have a widespread impact on society, resulting in addiction, overdoses, and increased healthcare costs.

• Extortion, in which criminals demand a ransom in exchange for not releasing sensitive information. In some cases, criminals attempt to extort money from the patients; other times they approach the breached organization.

• Sale or unauthorized use of personal health information, in which criminals sell information about medical treatments, diseases, prescription details, and more to organizations such as news outlets, marketing firms, or data brokers.

In addition, health breaches have negative impacts on victims and society at large that may not be classified as crimes per se but that raise ethical and legal concerns.

• Economic exploitation is one negative consequence that is difficult to track. In addition to the potential for direct extortion, patients with specific diseases or problems can be targeted by corporations seeking profit. “Marketers and other people monetize data by categorizing people based on their health information,” says Sherri Douville, CEO of Medigram Mobile Intelligence.⁹⁴

  94. Douville interview.

• Discrimination is one of the most insidious and difficult-to-measure consequences. Your medical records can reveal your sexual orientation, genetic risks, job attendance, and more. Throughout the course of human history, health information has been used to make discriminatory decisions in marriage and dating, employment, politics, and endless other areas. The United States has developed some laws protecting against disability and gender-based discrimination, but there are many loopholes—and discriminatory decisions that are quietly made behind closed doors often go undetected.

  “Every company would like the perfect employee who has never had a mental health problem, never had an addiction, never had high blood pressure,” added Douville during our interview. “They want the perfect little robot.”

  “People can lose out on jobs, pay more for insurance, fare poorly in custody battles and suffer personal embarrassment,” reported Bloomberg Business.⁹⁵

  95. Jordan Robertson, “States’ Hospital Data for Sale Puts Privacy in Jeopardy,” Bloomberg, June 5, 2013, https://www.bloomberg.com/news/articles/2013-06-05/states-hospital-data-for-sale-puts-privacy-in-jeopardy.

It is impossible to enumerate all of the potential negative consequences of health data breach, particularly as the laws and technology evolve. Breaches of confidentiality can lead to employment difficulties, embarrassment, harassment, discrimination, and more. Victims may never even know that their health information was stolen and used against them.

9.6.2 Making Amends

Since personal health information has the potential to impact lives in so many ways, it is difficult to imagine compensation or corrective action that could truly repair the open-ended risks for affected data subjects. While breached organizations often try to compensate victims, offers that are common in other industries may fall flat when it comes to health data breaches.

For example, in March 2015, Premera Blue Cross, a large health insurance provider based out of Washington State, announced a data breach in which criminals “may have gained access” to “name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information.”⁹⁶ Reportedly, the criminals had access to Premera’s systems for nearly a year. As with most health data breach announcements, “clinical information,” was buried at the end of the list—but people noticed.

96. Premera, “Premera Has Been the Target of a Sophisticated Cyberattack,” accessed January 17, 2018, https://web.archive.org/web/20150330101405/ http://www.premeraupdate.com.

As compensation, Premera provided access to “two years of free credit monitoring and identity protection services” to affected persons. Of course, while credit monitoring and identity theft protection can help mitigate risk of financial fraud, it doesn’t address the long-term risk of harm due to PHI exposure. U.S. Senator Patty Murray, ranking member of the Senate Health, Education, Labor, and Pensions Committee, drafted a letter to Premera Blue Cross in the days following the breach announcement. In it, she expressed:

“I understand that Premera has now started to notify each of the affected individuals regarding the attack, and to offer two years of credit monitoring to those customers. I am glad that Premera is taking action on behalf of their customers. However, I remain concerned about the potential harm resulting from this enormous breach and what efforts that Premera will make to ensure that any harm is remedied.”⁹⁷

97. U.S. Senate Comm. on Health, Education, Labor & Pensions, “Murray Demands Answers from Premera Blue Cross Following Cyberattack that Impacted Millions of Washington State Residents,” press release, March 20, 2015, https://www.help.senate.gov/ranking/newsroom/press/murray-demands-answers-from-premera-blue-cross-following-cyberattack-that-impacted-millions-of-washington-state-residents.

Unfortunately, it’s not clear that there is an effective way to mitigate the potential harm that can be caused by the exposure of private health information. The healthcare industry as a whole has struggled with the problem.

“For breaches involving health care data, credit monitoring doesn’t address potential embarrassment or discrimination that can come as a result of exposed medical details,” said Ford during our interview. Once private health information is stolen from a hospital, insurer, or third-party provider, there may be no way to put the genie back in the bottle.

9.6.3 Health Breach Lawsuits

Ironically, the open-ended nature of the risk in health data breaches is precisely what makes it difficult for victims to successfully sue. “HIPAA . . . [does] not have a private right of action that you can sue under the statue,” explained data breach attorney David G. Ries, counsel at Clark Hill, “but in a lot of states, if there’s a law that’s intended to protect you and somebody breaches their duty to protect you, you can bring a tort action against them.”⁹⁸

98. Dave Ries, interview by author, December 3, 2018.

In order to gain standing in court, victims must typically demonstrate that they have been harmed or are at risk of impending harm due to the data breach. This can be challenging in data breach cases, particularly with health data. Harm such as discrimination or loss of job opportunities can be difficult to connect with a specific breach, especially when information is distilled, sold, and resold by intermediary data brokers. How would a job seeker know that he or she was rejected because the employer leveraged an employability “score” produced by a data broker, which in turn was based on data that should have been private? What’s more, since health data retains its value, actual harm may come years or decades down the road, long after data breach cases are settled or dismissed.

In the case of Health Net of California, Inc., the provider’s vendor, IBM, lost servers that contained personal data of approximately 2 million people, including medical and financial data. Within weeks, ten victims filed a punitive class-action lawsuit against Health Net and IBM, alleging that both companies had violated California’s Confidentiality of Medical Information Act (CMIA), and that Health Net had violated the Customer Records Act (CRA).

The district court dismissed the case, stating that “[a]ny harm stemming from their loss thus is precisely the type of conjectural and hypothetical harm that is insufficient to allege standing.” (Interestingly, the district court also drew a distinction between theft versus loss of data, pointing out that there was also no evidence that third parties accessed the data.)

“The named plaintiff must himself actually suffer an injury and that injury cannot be hypothetical,” summarized attorney Bridget A. Purdue Riddell of Bricker & Eckler LLP.⁹⁹

99. Bridget A. Purdue Riddell, “California Class Action over Loss of Server Drives Storing Personal and Medical Information Dismissed for Lack of Standing,” Lexology, February 7, 2012, https://www.lexology.com/library/detail.aspx?g=51aec218-acc1-4797-9975-4883182b4dbd.

On the flip side, Health Net victims successfully filed a class-action lawsuit in California’s Superior Court and reached a settlement in 2014.¹⁰⁰

100. Marianne Kolbesuk McGee, “Health Net Breach Lawsuit Settled,” Data Breach Today, July 24, 2014, https://www.databreachtoday.com/health-net-breach-lawsuit-settled-a-7099; Shurtleff v. Health Net of California, Inc., No. 34-2012-00121600 (County of Sacramento, CA, 2013), https://eclaim.kccllc.net/caclaimforms/HBS/Documents/HBS_Preliminary%20Approval%20Order.pdf.

Ries is quick to point out that federal and state court rulings on data breaches are complex and not always consistent. “It’s still developing,” he says.

9.6.4 Learning from Medical Errors

Mistakes that cause permanent harm are nothing new in the healthcare industry. A team of researchers from Johns Hopkins found that “medical errors” result in 251,000 deaths each year, making them the third-leading cause of death in the United States.¹⁰¹

101. Ariana Eunjung Cha, “Researchers: Medical Errors Now Third Leading Cause of Death in the United States,” Washington Post, May 3, 2016, https://www.washingtonpost.com/news/to-your-health/wp/2016/05/03/researchers-medical-errors-now-third-leading-cause-of-death-in-united-states.

How do providers deal with these terrible situations? Many take the “deny and defend” approach, clamming up and releasing as little information as possible.¹⁰² That’s standard procedure for data breach disclosure today, as well: patients receive a tersely worded notification letter, if required by law, and little else.

102. Sandra G. Boodman, “Should Hospitals—and Doctors—Apologize for Medical Mistakes?” Washington Post, March 12, 2017, https://www.washingtonpost.com/national/health-science/should-hospitals{and-doctors–apologize-for-medical-mistakes/2017/03/10/1cad035a-fd20-11e6-8f41-ea6ed597e4ca.

As with medical errors, there are serious downsides to keeping quiet in a data breach response. Lack of transparency leads to perpetuation of mistakes. Trust between patients and health providers may be damaged, causing patients to withhold information from care providers, which in the long term leads to public health concerns. Angry victims are more likely to file lawsuits.

A new approach has emerged in medical error response. Instead of “deny and defend,” many healthcare providers are now establishing programs designed “to circumvent litigation by offering prompt disclosure, apology and compensation for mistakes as an alternative to malpractice suits,” reported the Washington Post.¹⁰³ One example is the Communication and Optimal Resolution (CANDOR) approach, which features “prompt investigation of errors whose findings are shared with the victims, as well as an apology and compensation for injuries.”¹⁰⁴

103. Boodman, “Should Hospitals and Doctors.”

104. Boodman, “Should Hospitals and Doctors.”

Healthcare providers—and their breach response teams—might consider taking a page from the industry’s own playbooks. “You have to normalize honesty to create a culture of continuous improvement,” said Richard C. Boothman, chief risk officer for the University of Michigan Health System.¹⁰⁵

105. Boodman, “Should Hospitals and Doctors.”

Even as data breaches become more common, healthcare security teams continue to struggle in isolation and silence. “When there’s a data breach . . . you read about it in the news but after that it’s only speculation,” says Pierce. “Nobody is willing to throw out, ‘here’s what happened’ so you can learn lessons from that. That would go a long way from an awareness and education perspective, for organizations to learn from each other’s misfortune.”¹⁰⁶

106. Pierce interview.

As with medical errors, there is great fear surrounding data breach disclosure—but transparency and openness can help to reduce long-term risk throughout the system.