In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has imposed its first civil monetary penalty since the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became effective in April 2003. HHS issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule and imposed $4.3 million in penalties for the violations. The penalty amount is based on the increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The penalty for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. When Cignet did produce the records, it included certain records of 4,500 unrelated patients.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The penalty for these violations is $3 million.

There are some important lessons from this case for covered entities and business associates (now subject to the same penalty provisions as covered entities):

  • HHS appears to have turned the corner – it is willing to impose substantial penalties for Privacy and Security Rule violations under HIPAA.
  • Each day that a violation continues can be treated as a separate violation, allowing penalties to add up quickly. Cignet’s failure to provide a patient timely access to his records was a violation, and each day that continued was a separate violation. 
  • When responding to an HHS investigation concerning patient or participant information, be sure to include only the information being requested, and not that of unrelated persons.
  • Most important, be responsive to the agency. The reason for the significance of the penalties was almost certainly due to Cignet’s level of cooperation HHS.  

 

What is a company’s recourse when a former employee deletes e-mails and other company electronic information before he leaves? A case from Indiana provides a lesson.

When Meridian Financial Advisors began serving as Receiver for bankrupted OCMC, Inc., it took possession of a number of OCMC computers, including one belonging to Joseph A. Pence, OCMC’s President and CEO. In the course of its investigation, Meridian learned that OCMC employees, including Mr. Pence, had deleted e-mails and computer documents detailing improper conduct just before leaving OCMC. Meridian filed suit against Pence and others in connection with OCMC’s collapse, including a claim for civil damages under the Computer Fraud and Abuse Act (“CFAA”) for damaging OCMC’s protected computers. Meridian Fin. Advisors Ltd. v. Pence, No. 07-995 (S.D. Ind. 1/14/11).

A person violates CFAA by:

knowingly caus[ing] the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer. 18 U.S.C. § 1030(a)(5)(A)(i).

Civil penalty provisions under the CFAA allow for recovery of compensatory damages when the damage exceeds $5,000.

Pence argued that even if a deletion occurred there was no damage to OCMC computers and, therefore, no damage under the CFAA. The federal district court rejected this argument, pointing out that the statute defines "damage" as:

any impairment to the integrity or availability of data, a program, a system, or information 18 U.S.C. § 1030(e)(8). 

The court reasoned that a "deletion of files impairs the availability of data and, as such, is covered under the statute" (citing other cases with similar holdings, Monson v. Whitby Sch., Inc., No 3:09-CV-1096, 2010 WL 3023873, at *3 (D. Conn. Aug. 2, 2010) (under some circumstances, deletion of an employee’s own e-mail can give rise to a CFAA claim); and Condux Int’l, Inc. v. Haugum, No. 08-4824, 2008 WL 5244818, at *8 (D. Minn. Dec. 15, 2008) (same with deletion of evidence of computer use)).

The court went on to address whether Pence deleted the e-mails without authorization, a required element for recovery under the CFAA. While the courts are not in agreement on this issue, the U.S. Court of Appeals for the Seventh Circuit (which has jurisdiction over Illinois, Indiana, and Wisconsin) recognizes that previously authorized use of a computer system may become unauthorized when an employee breaches his duty of loyalty to his employer. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). The district court in Pence followed the holding in Citrin, although a question of fact remained as to whether Pence actually deleted the e-mails. Because of the open question of fact, the court could not grant Meridian’s motion for summary judgment.

Deletion of files is becoming common practice when employees, typically key employees, leave an organization. Where possible, employers should try to prevent the deletions and take steps to better manage their important data. However, when these kinds of deletions happen, in the right cases, the CFAA can be a valuable tool for employers to remedy their damages. 

Last month, the Federal Trade Commission’s Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft. 

When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one’s credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.

The FTC’s FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.

Providers and plans should be taking steps to be prepared to address medical identify theft situations.

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee’s access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company’s current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.

Our adversaries are trolling social networks, blogs and forums, trying to find sensitive information they can use about our military goals and objectives. Therefore, it is imperative that all Soldiers and Family members understand the importance of practicing good operations security measures.

-Sgt. Maj. of the Army Kenneth O. Preston

The above quote is contained in the U.S. Army Social Media Handbook, (pdf) published January 2011, which lays out a comprehensive set of guidelines for soldiers participating in social media. According to the the Handbook: The Army encourages members of the Army Family to use social media to connect and tell their stories, but it also advises everyone to do this in a safe
and secure manner.

This move by the Army follows a February 25, 2010, Department of Defense Directive-Type Memorandum (DTM) which provided guidelines for military use of social media and acknowledged
“that Internet-based capabilities are integral to operations across the Department of Defense.”  The DTM clearly indicates that use of social media in the DoD is authorized.

While much of the specific policy governing soldiers’ is left to Army leaders, the Handbook provides some familiar advice:

  • Take a close look at all privacy settings. Set security options to allow visibility to “friends only.”
  • Do not reveal sensitive information about yourself such as schedules and event locations.
  • Ask, “What could the wrong person do with this information?” and “Could it compromise the safety of myself, my family or my unit?”
  • Geotagging is a feature that reveals your location to other people within your network. Consider turning off the GPS function of your smartphone.
  • Closely review photos before they go online. Make sure they do not give away sensitive information which could be dangerous if released.
  • Make sure to talk to family about operations security and what can and cannot be posted.
  • Videos can go viral quickly, make sure they don’t give away sensitive information.

Many of the technological and personnel issues that concern the Army apply in the private sector, although for obvious reasons there can be far different consequences for the military (and for us). Still, having clear policies and thinking through how social media can affect your business is critical for today’s workplace

The demand for "data breach" insurance appears to be growing based on our experiences, as well as commentary such as a recent article by Pamela Lewis Dolan of American Medical News.

As we’ve reported, data breach coverage is something quite different than traditional "cyber-risk" coverage which tends to address "hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” According to Ms. Dolan’s article, data breach policies tend to cover the cost of notification and credit monitoring for affected persons, public relations expenses to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements. Of course, as with any type of insurance, businesses should seek appropriate advice concerning the scope of coverage they are purchasing.

Ms. Dolan’s focus on health care providers is well placed given the recent HIPAA breach notification mandate and the sensitive protected health information such businesses handle. This is particularly true for small health care practices which often do not have the resources to adequately respond to a data breach – for those, a data breach policy could be a wise investment.  It is also true for those businesses that service the health care industry – many of which are business associates that are also subject to HIPAA and its breach notification requirements. 

Beyond HIPAA, breach notification mandates exist in nearly all states in the U.S. and other jurisdictions. So, many businesses can benefit from addressing this risk through insurance as well as adopting policies and procedures to reduce the likelihood of a breach in the first place. In this connection, Ms. Dolan is also wise to report that data breach insurance doesn’t absolve health care practices or any other business for that matter from implementing safeguards to protect personal information or protected health information. Various federal and state laws require to one degree or another businesses to adopt "written information security programs" to safeguard personal information.

This is much like protecting your building/office space from fire damage – you have fire insurance, but you also have a plan to safeguard critical assets and exit the building!

 

Together with some other U.S. Senators who have offered data security laws in recent years, Senate Majority Leader Harry Reid introduced S.21 on January 25. The bill, a "sense of Congress" bill, urges the passage of a comprehensive law to address cybersecurity, without making any changes to current law.

This bill is important in that it acknowledges the critical role information technology plays in the U.S. economy:

With information technology now the backbone of the United States economy, a critical element of United States national security infrastructure and defense systems, the primary foundation of global communications, and a key enabler of most critical infrastructure, nearly every single American citizen is touched by cyberspace and is threatened by cyber attacks.

Congress "has the sense" that a future law should serve at least 10 critical goals, such as:

  • provide incentives to the private sector to quantify, assess, and mitigate cybersecurity risks to their communications and information networks;
  • promoting investments in the American information technology sector to create jobs;
  • preventing and mitigating identity theft and guarding against abuses or breaches of personally identifiable information;
  • protect federal government communications from cyber attack; 
  • maintaining robust protections of the privacy of American citizens and their online activities and communications;
  • protecting and increasing the resiliency of U.S. critical infrastructure and assets, such as the electric grid, military assets, financial sector and telecommunications networks; and
  • enhancing international cooperation on cybersecurity to promote free access and fight cybercrime.

Will a new law follow?

Maybe. It will take some time as Committees and federal agencies jockey for position, although it seems this "sense of Congress" will advance the ball further than it has been.

The advice to companies, business leaders, professionals and others, however, is "Don’t wait!" Many states already have data security laws in effect and, even without those laws, all businesses have sensitive company proprietary to safeguard. 

With some harsh words of warning, a judge in the U.S. District Court for the District of Minnesota has sanctioned another law firm for electronic filing of documents disclosing birth dates, names of minors, financial account numbers and at least one social security number in violation of Fed. R. Civ. P. 5.2(a).

In a decision issued on November 24, 2010 in the case of Allstate Insurance Company v. Linea Latina de Accidentes, Judge Joan N. Erickson noted that,

"Every federal district has now embraced electronic filing.  The days of attorneys being able to ignore the computer and shift blame to support staff in the event of an error are gone.  The consequences are simply too serious. To the extent there are attorneys practicing in federal court who are under the impression that someone in the Clerk’s office will comb their filings for errors and call them with a heads-up, the court delivers this message: its is the responsibility of counsel to ensure that personal identifiers are properly redacted."

In this case, upon being notified of the problem, plaintiff’s counsel initially moved to have the complaint and its attachments filed under seal.  The court responded by stating that there was no reason to seal the complaint if had been properly redacted, and then noted that plaintiff’s motion showed no sense of urgency to remedy the fact the information was on the Internet, perhaps permanently.  Counsel then attempted to redact the information using Adobe Acrobat’s rectangle tool, which the court found insufficient as the black rectangles could be removed with a few keystrokes. The court ultimately ordered the plaintiff’s counsel to remedy the problem, notify each individual affected, provide credit monitoring,and to pay $300 to a charity.

 We previously warned you about similar sanctions in the case of Engeseth v. County of Isanti. Caveat jurisconsultor (lawyer beware)!