The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices

Figure 1: Healthcare organizations are also responsible for the data of their Business Associates and their Business Associates’ subcontractors. BU SINES S A S SO CI AT ES SUB C ON T R AC T OR S OF BU SINES S A S SO CI AT ES D ATA B R E A CH SE T T L EMEN T W I T H MINNE S O TA A G One of the most destructive data breach cases of the past few years involved a Chicago-based medical billing and revenue management services company. In July 2011, an employee of the organization left an unencrypted laptop containing the PHI of 23,500 patients inside a rental car which was subsequently stolen, never to be recovered. Data on the laptop included patient names, dates of birth, social security numbers, billing information, and medical diagnostic information. Although there has been no report of any unauthorized use of the data to date, the incident caught the attention of Lori Swanson, Minnesota’s Attorney General, which led to a wider investigation into the company’s business practices in the state. The FTC7 alleged that the organization failed to: • Provide appropriate security measures to protect consumers’ personal information • Employ reasonable procedures to ensure that personal information be removed from computers when it is no longer needed • Adequately restrict employee access to personal information based on an employee’s need for the information HE A LT H C A R E D ATA B R E A CH—T HE C O N SEQ UEN CE S In July 2012, the Healthcare organization settled the HIPAAHITECH complaint instituted by the Minnesota Attorney General for $2.5 million but that was just a fraction of the overall cost to the business. The organization agreed not to conduct business in the state of Minnesota for a minimum of two years and up to six years. The decision of when it may resume business after the first two years is at the sole discretion of the Attorney General. MINNESOTA 2012-2013 Minnesota AG HIPAA-HITECH Settlement $2.5 million Annual loss to the business $23 – 25 million (for at least 2 years and up to 6 years) Class action settlement $14 million Total number of records breached 23,500 Total cost per record $2,000 – 6,000 The organization signed a consent decree at the insistence of the FTC. Pursuant to the decree, the organization must have an immediate audit of its data security procedures and protocols by an independent third-party auditor, with such audits recurring every two years for the next twenty years. Before the breach, Minnesota had been home to the organization’s largest customer. However, this customer cut ties with the organization after the investigation. The impact this case has had on the organization’s bottom line is significant—revenue losses from the state of Minnesota alone are estimated at $23-$25 million per year. The case also prompted two more federal investigations, including a Senate hearing, and a class action lawsuit by shareholders which was settled in September 2013 for $14 million. Whitepaper | 3 Figure 2: Timeline of events in the Minnesota case 07/11: Laptop stolen from employee rental car 12/13: FTC settlement 07/12: $2.5M settlement 01/12: Minnesota AG suit filed 06/13: Class action suit filed 04/13: CEO replaced The organization was in turmoil following the investigations, lawsuits, and settlements and the board replaced both the CEO and the CFO. This particular settlement is an important reminder that the Office for Civil Rights is not the only enforcer of health information, privacy, and security regulations. While not as common, the FTC can also exercise its authority to find a lack of data security as an unfair or deceptive trade practice under Section 5 of the FTC Act. The need for Healthcare organizations to remain compliant with HIPAA not only protects them from HIPAA auditors, it also ensures they are not exposed to additional enforcement actions from other regulatory and government bodies. This data breach resulted in direct costs in excess of $60 million in fines, penalties and lawsuit settlements. This does not include the legal fees, the cost of the new security protocols and audits, nor the lost revenue – all from the loss of a single laptop. D ATA B R E A CH SE T T L EMEN T S W I T H O CR No verdicts have been made against any Healthcare organization for non-compliance with HIPAA regulations. All cases to date have resulted in settlements as Healthcare organizations do not want to be the first to set a very public precedent in these cases. In May 2014, a Texas-based national Healthcare company9 agreed to a settlement of $1.7 million with the OCR for privacy violations relating to an unencrypted laptop that was stolen from a Missouri physical therapy center in November 2011. The TEXAS 2014 unencrypted laptop contained OCR Settlement 870 health records. $1.7 million Total records breached 870 Total cost per record $1,954 In addition to the fines, the company agreed to adopt a corrective action plan and to document its efforts at remediation. In April 2014, an Arkansasbased Healthcare company10 08/13: CFO replaced ARKANSAS 2014 OCR Settlement $250,000 Total records breached 148 09/13: $14M class action settlement agreed to a settlement of $250,000 with the OCR for HIPAA violations. In February 2012, an unencrypted laptop containing the PHI of 148 individuals was stolen from an employee’s car. While the company encrypted its devices following discovery of the breach, OCR’s $1,689 investigation revealed that it failed to comply with multiple requirements of the HIPAA Privacy and Security Rules. As part of the settlement, the company is required to provide the OCR with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its PHI. The company is also required to provide data security training to its employees and document all compliance efforts. Shortly after the settlement, the company was acquired by a larger organization through a stock-purchase agreement. Total cost per record D ATA SEC UR I T Y C O MP L I A N CE These cases offer a frightening insight into the consequences of human error. If each of the organizations had the correct security policies and solutions in place, the employees would have reported the loss of the laptops and IT could have taken appropriate measures such as: • • • • • Freezing the device so it becomes unusable Remotely deleting the data Retrieving data from the device Tracking the device using geolocation Running reports to prove compliance (data delete logs, encryption status reports, whether data was accessed by unauthorized users) If these organizations could have developed sufficient evidence of a “low probability” that PHI had been accessed or transferred by unauthorized persons, HIPAA-HITECH statues and regulations Whitepaper | 4
Please complete the form to gain access to this content