Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
PHI Security: You Are Only As Strong As Your Weakest Link
Idaho State University just paid $400,000 to settle HIPAA security violations with the Office of Civil Rights. OCR contended that ISU failed to maintain adequate security by failing to maintain its firewall for ten months and for other systemic deficiencies. The problems centered around a family medical clinc.
ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients remained unsecured for at least 10 months. OCR found that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities such that ISU failed to assess the likelihood of potential risks occurring. Importantly, there was no indication that any of the information was actually accessed.
According to the OCR:
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” and “Proper security measures and policies help mitigate potential risk to patient information.”
The settlement indicates the need to closely moniter security as well as privacy. Good secuirty can often prevent a data breach. Neverheless, security at sattellite facilites is ofen overlooked until there is a breach.
Chinese Military Hacking U.S. Businesses?
Computer Security firm, Mandiant Corp., recently released a comprehensive report [pdf] exposing cyber espionage by a specialized Chinese military unit. The 60 page study details 141 separate attacks directed primarily at U.S. corporations and U.S. government agencies.
The attacks are said to originate from “Unit 61398″, a secret department within the People’s Liberation Army located in Shanghai. Coca-Cola and computer security firm, RSA, are among its victims.
Mandiant reports that the attacks started in 2006, but are now escalating. The secret unit stole technology blueprints, manufacturing processes, clinical trial results, pricing documents and other proprietary information from more than 100 entities, mostly in the U.S.
The attacks are generated via “spear phishing” emails – emails targeted to company employees that appear to be innocuous. However, once a malicious link in the email is clicked, malware is downloaded to the computer and the attackers are now inside the network. Once inside the network, the malware can operate unnoticed, for years, while it sends company files back to Shanghai.
Nor surprisingly, the Chinese government has dismissed the report and claims that it does not support state-sponsored hacking. The Chinese Defense Ministry countered that its websites are routinely attacked by computer intruders, many of which are based in the U.S.
But whether it is the Chinese government looking for economic advantage or Eastern European hackers looking to steal credit card information or a careless employee that loses a company laptop, businesses need to continue to be vigilant in securing their electronic data. As always, companies should employ the appropriate IT security tools to detect malicious software on their network. Of course, if a breach is discovered, immediately seek legal advice to protect your interests, conduct remediation and forensically determine what happened.
OLD DATA IS POTENTIALLY DANGEROUS DATA
Kirkwood Community College in Iowa recently announced that it will pay between $400,000 and $500,000 in data breach remedy costs as a result of a hacking incident in March. The hackers were able to gain access to approximately eight years of archives application information. The information may have included names, birth dates, contact information and Social Security numbers from more than 125,000 people. The college’s costs include forensic security fees, call center fees, and other data breach response costs. More than 9,000 individuals have signed up for credit monitoring. The school and its security team fielded more than 3,000 calls in the first week following the breach.
This incident, once again, demonstrates the risk that entities run by keeping old data on their servers that contain personal identifiable information. No matter how good the security systems are, the easiest way to lessen the risk for an expensive data breach is to limit the amount of information on your servers. Businesses should continually review and analyze their data storage procedures to determine what archived information can be purged from the system. In addition, cyber breach insurance coverage is a must for educational institutions.
SCHNUCK’S MASSIVE DATA BREACH RESULTS IN SEVERAL CLASS ACTION LAWSUITS
As we reported last month, Schnucks super market stores announced a data breach in March that potentially effected 2.4 million debit and credit card users. News reports have indicated that as many as 79 Schnucks stores may have had their customers’ card numbers and information stolen. As is often the case, class action lawsuits have now been filed in Illinois and Missouri.
The Illinois class action suit has alleged that the plaintiff and class members have suffered damages for the following reasons: the debit and credit card information was compromised, they incurred numerous hours cancelling their compromised cards, activating replacement cards and reestablishing automatic withdraw payment authorizations from their old cards to their new cards. Plaintiff’s attorney is alleging that beside state negligence claims, Schnucks also violated the Federal Fair Credit Reporting Act.
While Schnucks has already set up a consumer call center and spent significant time and resources on the forensic analysis of this data breach, the financial costs have only just begun. This breach is just one more example of the significant costs that will be incurred by an entity that has sustained a data breach and more than ever demonstrates the critical need for cyber policies that cover data breach related costs for all businesses.
SCHNUCKS IS THE LATEST SUPER MARKET CHAIN TO SUFFER AN EXTENSIVE DATA BREACH
Last month Schnucks supermarket chain announced that it had been the victim of a hacking and was investigating a data breach that lead to customer credit and debit cards being fraudulently charged with purchases. At the time, Schnucks did not indicate the severity of the data breach. Schnucks has now announced that approximately 2.4 million cards may have been compromised as a result of malware being installed on Schnucks’ computer network. News reporting indicates that Schnucks’ payment processor warned the company in March that customer’s cards had been used for fraudulent purchases shortly after being used at Schnucks Stores. Schnucks contacted Mandiant, a forensic investigation firm, that determined that malware was capturing credit card and debit card numbers.
Schnucks has stated that while the card numbers and expiration dates have been accessed, no names, addresses or other personal identifying information was stolen. Schnucks has set up a hot line number for its customers to call with questions or concerns regarding this breach.
This data breach follows on the February announced breach of the Arizona based grocery store chain Bashas. Bashas operates approximately 130 grocery stores and also sustained a breach as a result of a malware attack. News reporting indicates that over 400 customers have reported fraudulent charges on their credit or debit cards that had been previously used at Bashas.
These two recent breaches highlight the ongoing malware attacks on retail chain stores. Cyber criminals continue to look to the retail industry as fertile ground for the theft of information from point of sales. Retail companies and their insurers must be vigilant on a daily basis for these types of malware attacks that can result in millions of dollars of damages and costs once a breach has been detected.
ANOTHER GOVERNMENTAL AGENCY EXTENDS CREDIT MONITORING FOR DATA BREACH VICTIMS
Last year the State of Utah announced that cyber hackers had accessed governmental computers and stolen personal identifiable information of approximately 780,000 individuals. The information stolen included approximately 280,000 social security numbers. Among other remedies, the state offered credit monitoring for one year. State law makers have now approved one million dollars to extend the credit monitoring for a second year. Approximately 25% of the people with exposed social security numbers have already signed up for credit monitoring. These individuals will have their credit monitoring extended automatically. Additional victims can also continue to sign up for this service.
This announcement comes in the wake of the massive data breach hacking incident at the South Carolina Department of Revenue. Last fall, South Carolina announced that millions of consumers and businesses had information accessed by cyber hackers.
South Carolina has spent more than $20,000,000 for breach related costs. Approximately $12,000,000 was paid to Experian for credit monitoring services for one year. The registration deadline for the year of credit monitoring just ended. Reports have indicated that the enrollment rate far exceeded the industry norm of 5 to 15%. Approximately 1.5 million of the 3.8 million affected tax payers have contacted the state to request credit monitoring. These reports have also indicated that Experian is offering a second year of credit monitoring coverage to South Carolina for $10 million dollars. State law makers plan to debate whether additional credit monitoring services will be provided and how the services will be paid for. Other news reports have indicated that some state representatives have floated the idea of credit monitoring for 10 years. Obviously, such a extensive credit monitoring term would be extremely expensive.
These breaches and the subsequent credit monitoring expansions demonstrate how governmental agencies may be forced for a variety of reasons to offer more than the standard one year of credit monitoring for a data breach. If more and more governmental agencies respond to data breaches with multi-year credit monitoring, such a standard may force private entities to increase the credit monitoring services that they also provide after a breach. Businesses and their insurers should continue to monitor the breach responses of governmental agencies and, in particular, the costs that are incurred by these agencies.
State of the Cybersecurity Union — Obama’s Executive Order Aimed at Cyberattacks
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets.” With those words, and just prior to his 2013 State of the Union address, President Obama signed an executive order on cybersecurity. The order is focused on protecting critical cyber infrastructure from cyberattacks.
As an executive order, it directs government agencies to establish policies and procedures to thwart cyber intrusions. Probably the most significant provision is that The Department of Homeland Security (DHS) and the Director of National Intelligence must now share information about cybersecurity threats with the private sector. This could include classified as well as unclassified data, depending on the threat and the nature of the infrastructure potentially affected.
To the relief of privacy groups and technology companies, this information sharing is a one-way street. Meaning that companies like Google and Microsoft will not have to share their data with the government which, privacy groups warned, could potentially invoke personal information of their users. In fact, the order directs DHS to assess privacy risks as a result of any programs undertaken as a result of the order.
Further, the executive order requires the establishment of a “Cybersecurity Framework” meant to reduce the cyber risks to critical infrastructure. The framework must include standards, procedures and processes to reduce cyber risks, incorporating industry best practices. The final version of the Cybersecurity Framework is due to be issued within 1 year of the date of the order — by February 12, 2014.
It remains to be seen what new policies and procedures will be implemented as a result of President Obama’s order and what the final “framework” will look like. However, this action is certainly an acknowledgment of the increasing threat of cyberattacks, not only to individuals and their personal information, but also to national security.
FTC IS TARGETING PRIVACY ON MOBILE DEVICES
Earlier this month the Federal Trade Commission released a set of non binding recommendations for the mobile industry to strengthen its privacy controls and allow consumers to opt out of being tracked by ad networks on their smartphones.
FTC regulators want the mobile industry to obtain consumers’ permission to tract their location and access other personal information on their mobile phones. Mobile app makers should also consider using icons to depict what types of data they collect from mobile users, rather than just fine print. These recommendations will affect not only large technology companies such as Google and Microsoft but also smaller application makers. While many companies have already adopted some of the suggestions voluntarily, regulators have already sanctioned app makers in the past for privacy violations.
For instance, the commission also announced an $800,000 settlement with Path Inc., the maker of a popular social-networking app, for collecting personal data on child users without their parents’ consent. Path also settled charges it mislead users of all ages by scraping information from smartphone address books without permission.
Mobile technology companies and their insurers should be fully aware that the FTC is placing more and more of an emphasis on personal privacy as millions of Americans now carry devices constantly connected to the internet. Once the FTC begins to regulate and sanction the mobile industry, civil actions by private individuals are likely not far behind.
HHS ISSUES FINAL BREACH NOTIFICATION RULES – The end of “no harm, no foul”?
Last week the Department of Health and Human Services (HHS) issued its long-awaited “Final Rule”[.pdf] meant to strengthen various HIPAA/HITECH privacy and security rules related to individuals’ health information. The 563 pages of federal regulations contain numerous rule modifications. Notably with respect to the scope of this Blog, there are significant changes to the Breach Notification Rule for protected health information (PHI).
When originally issued as an “interim final rule” in 2009, the Breach Notification Rule included a risk of harm assessment for determining whether protected health information had been compromised in a breach incident. Specifically, the interim rule stated:
“compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”
Thus, covered entities under HIPAA had been able to conduct a risk of harm analysis focusing on the individuals potentially affected by a breach, when assessing whether a breach had occurred. This subjective standard certainly could be helpful to an organization if it was inclined to lean towards a determination that a particular incident involving PHI did not trigger notification obligations. Now, however, this potential “never mind” no longer exists.
Rather, under the final rule, HHS has clarified that the impermissible use or disclosure of PHI is PRESUMED to be a breach unless the covered entity demonstrates that there is a low probability that the PHI has been compromised. The new regulations include 4 factors for an entity to use in conducting such a risk assessment:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
In other words, the focus of any risk assessment after a potential breach has moved from the point of view of whether individuals were harmed, to instead considering factors related to the PHI itself. While it remains to be seen how these new risk assessment rules will play out, it certainly appears that HHS has intentionally lowered the bar for reportable incidents.
Whether focusing on PHI (data), instead of individuals, is a good thing is certainly debateable and the new rule is likely to lead to many more PHI incidents where breach notification obligations are triggered. If the goal is to ensure the privacy and security of PHI, perhaps the threshold lowering is meant to make covered entities and business associates pay more attention.
Of course, cynics may point out that the new rules simply increase the power of a government agency, but fail to adequately take into account the actual impact on individuals. In other words, no harm no foul, may no longer apply when it comes to the Breach Notification Rule.
Note that the effective date of the final rule is technically March 26, 2013. However, Covered Entities and Business Associates have until September 23, 2013 to comply with the requirements of the final rule.
OFFICE OF CIVIL RIGHTS RINGS IN NEW YEAR WITH SIGNIFICANT HIPAA DATA BREACH SETTLEMENT
The HHS’ Office of Civil Rights (OCR) announced today that The Hospice of North Idaho has agreed to pay a $50,000 settlement for violations of the HIPAA Security Rule. OCR made a point of announcing that the settlement is the first one that involves a breach of unprotected PHI affecting fewer than 500 individuals. In June 2010, an unencrypted laptop computer was stolen from the provider. A subsequent OCR investigation determined that the health care provider had no policies or procedures in place for data security.
Health care providers and their insurance carriers should remember that while a breach affecting more than 500 individuals must be reported within 60 days, breaches of less than 500 individuals must still be reported on an annual basis. OCR is clearly sending a message at the start of the year that all health care providers must have proper data security procedures or run the risk of future penalties and fines.
This settlement demonstrates that data breaches, no matter the size, can result in significant costs and negative publicity for entities that are not properly prepared for a breach.