Last month, a cyberattack forced two New York hospitals to divert and even discharge some patients to other facilities, while the affected hospitals shut down their IT systems to address the issue and restore their secure network. [cite] In the wake of this event, New York Governor Kathy Hochul has proposed a cybersecurity regulation that would create a new section, Section 405.46 of Title 10 of the Official Compilation Codes, Rules and Regulations of the State of New York, and which would apply to all general hospitals in New York State. Governor Hochul plans to allocate $500 million to back the proposed regulation. [cite]Continue reading…
cybersecurity, Federal Trade Commission, FTC, Privacy, Uncategorized / No Comments
On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation. In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.
The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks. By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States. To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard. A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…
Affordable Care Act, CMS, cyberattacks, cybercriminals, cybersecurity, HHS, HIPAA, HITECH, Privacy, Uncategorized / No Comments
Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members. Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska. Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015. According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.
Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach. The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity. The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack. Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates. Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.
Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people. As these attacks illustrate, health information is now a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims. Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”
Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security. The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach. The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA. The Complaint also alleges violations of state consumer protection laws and data disclosure laws.
As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.
cyberattacks, cybercriminals, cybersecurity, FBI, Healthcare, HIPAA, HITECH / No Comments
Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29th and contacted the FBI, which has started an investigation into the matter.
Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”
Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.
The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.
To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.
If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at firstname.lastname@example.org.