cybersecurity

Another Health Plan Hit By Massive CyberAttack and Class Actions Follow

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , ,

Cybersecurity Attack on Anthem, Inc. Highlights the Cybersecurity Risks for All Companies Handling Electronic Medical Records

Posted by Gregory M. Fliszar on February 09, 2015
cyberattacks, cybercriminals, cybersecurity, FBI, Healthcare, HIPAA, HITECH / No Comments

Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29th and contacted the FBI, which has started an investigation into the matter.

Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”

Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.

The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.

If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at [email protected].

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website