Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
Whose job is data security? What role does encryption play in helping to prevent a data breach? Does my business need data breach insurance?
I discuss these topics and more in the article, How to Minimize the Threat of the Dreaded Data Breach,” published in the current edition of Catalyst, the magazine of the PA Chamber of Business and Industry
Last month, during the holiday season, the Department of Health and Human Services’ Office of Civil Rights (OCR) announced that a small healthcare provider in Concord, Massachusetts, Adult & Pediatric Dermatology, P.C. (APD), had agreed to settle potential violations of HIPAA/HITECH privacy regulations for $150,000. The case has received significant attention in the privacy field because it was OCR’s first settlement with a covered entity for not having policies and procedures in place to address data security, as opposed to imposition of a fine for an actual data breach.
In 2011, APD reported that a thumb drive with approximately 2,200 individuals’ PHI was stolen from a staff member’s vehicle. The thumb drive was not recovered. OCR’s investigation determined that APD failed to conduct, as required by HIPAA/HITECH, a proper risk evaluation of its security management processes prior to the breach. OCR’s director Leon Rodriquez was quoted as follows, “As we say in healthcare, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
This settlement is a cautionary tale for healthcare providers as we turn the page on a new year. By proceeding to settlement and commenting on the case, OCR is sending the message to both big and small medical providers that data security must continue to be a priority in 2014.
Horizon Blue Cross Blue Shield of New Jersey recently began notifying more than 839,711 members that two laptops containing personal information were stolen from its corporate headquarters last month. Shockingly, while the two laptops were cable locked to workstations, the Personally Identifiable Information (PII) of over 800,000 members was unencrypted. Names, addresses, member identification numbers, birth dates and, in some cases, social security numbers or clinical information was accessible. As our readers are certainly aware, the fact that clinical information was available makes this not only a multi-state data breach but also a HIPAA/HITECH violation that will result in an Office of Civil Rights (OCR) investigation.
News reports indicate that only members whose social security numbers were compromised are being offered free credit monitoring and identity theft protection. That decision may change as the breach becomes more public and state regulators and the OCR become involved.
Businesses and their insurers must do everything possible to guard against the risk of human error, cyber attacks and theft by encrypting all computers and laptops that contain PII. Even though these laptops were cable locked to the work stations, they were stolen over a weekend and a major data breach response is now required because of the unencrypted systems. The encryption of laptops should be #1 on any business’s New Year’s resolution list.
JP Morgan Chase has issued a warning that Personally Identifiable Information (PII) of over 465,000 holders of pre-paid cash cards may have been accessed by cyber hackers earlier this year. The cards are issued on behalf of government and corporate card clients and can be used for customers’ tax refunds, unemployment compensation and other benefits. News reports indicate that the breach affected the online portal system used by customers between July and September. Interestingly, according to the reports an unknown number of hackers were able to access the data, signaling that significant security lapses may have occurred if more than one hacker was able to access the computer system and information.
A Reuters news report stated that while JP Morgan typically encrypts all customer personal information, during this breach, customers’ PII appeared in plain text files that the computers use to log activity. So far, no social security numbers, birth dates or email addresses were accessed.
Free credit monitoring is already being offered by the bank and the forensic investigation continues. The cost for this breach will likely be significant, as JP Morgan will need to comply with numerous state data breach regulations, SEC inquiries and other federal and state statutes. Insurers and their customers should take note of this data breach as another example that no matter how extensive a company’s privacy and risk management safeguards, cyber hackers are a constant threat, attempting to penetrate a business’s computer systems and steal critical personal information.
Last month Adobe Systems reported that it sustained a data breach which potentially exposed over three million customers’ information including their password identifying information to a cyber hacker. Adobe then announced that the number of potentially exposed customers was 38 million. Earlier this month, a data security firm, Last Past, reported that it had found email addresses, encrypted passwords and password hints from Adobe user accounts on an underground website frequented by cyber criminals. Last Past reported that more than 152 million Adobe users’ account information was found on this underground website. According to news reports, Adobe confirmed that records stolen from its data center were found on the underground website but indicated that the information was not significant.
Adobe is claiming that the data base attacked was a backup system that was going to be decommissioned and that some of the records included 25 million invalid email addresses, 18 million invalid passwords, and a large percentage of fictitious accounts. Adobe is continuing to work with law enforcement and outside investigators to determine the complete facts and circumstances of the data breach. At this time, approximately 38 million active Adobe users have been notified, and Adobe is beginning to contact the owners of inactive accounts.
The number of records stolen appears to be the largest ever taken in a data breach. Other significant breaches include the Heartland payment system breach in 2009 that involved more than 130 million credit card numbers, and the notorious 2011 Sony Play Station data breach where approximately 100 million records were accessed by hackers. While Adobe continues to investigate this data breach and slowly provides information to the public, businesses and their data security teams should re-emphasize to all employees, customers and vendors to be especially vigilant in not opening or using any files or emails from unknown entities as you could be one click away from allowing a cyber hacker to gain entry into your system.
A high profile firm that provides software management solutions for the limousine and ground transportation industry is a recent victim of a computer hacking and data breach event that potentially exposed the credit card and other personal information of approximately one million customers. The Associated Press reports that Hold Security, a data security firm, discovered the breach at Corporatecaronline in October. Hold Security alleges it advised the company that Personally Identifiable Information (PII) had been stolen, but Corporatecaronline has not publically acted upon the information. According to the news report, various limo and car services companies across the country purchased software from Corporatecaronline and used it for reservations, dispatching and forms of payment. In addition to the exposure of credit card information, other personal details regarding celebrities and politicians who used the various limousine services was also disclosed during the hacking incident. Hold Security found the Corporatecaronline customers’ PII stored on the same computer server where personal information had been stored from other high profile hacking incidents, including Adobe Systems Inc. and PR Newswire.
This latest incident demonstrates that businesses who ignore or down-play data breaches are potentially setting themselves up for liabilities in the form of negative publicity and damages if they do not provide a quick and appropriate response to a data breach. Negative public relations aside, Corportaecaronline may have potentially affected its insurance coverage for this event if it’s determined that the company did not properly report the incident to its insurance carrier.
Earlier this year we reported that Schnucks Markets, a Midwestern based supermarket chain, had suffered an extensive data breach. News reports indicated that 2.4 million customers’ personal information was exposed as a result of Schnucks’ computers being hacked.
Last week a preliminary settlement of a class action suit was proposed in a Missouri federal district court. The proposed settlement provides a good opportunity for businesses and their insurers to review the monetary expenses that can be incurred just to settle a data breach class action suit prior to full litigation.
Under the proposed settlement, Schnucks would incur the following costs:
- Pay up to $10.00 to each customers for every card that was compromised and had fraudulent charges posted to it;
- Pay customers for certain unreimbursed out of pocket expenses such as bank overdrafts and late fees;
- Pay for up to 3 hours for documented time spent at the rate of $10.00 an hour for customer’s time spent on the data breach;
- A cap of $1.6 million would exist on all of these customer reimbursement expenses, up to $170.00 per class member.
- Pay up to $10,000 for each related identity theft loss with the total capped at $300,000;
- Pay up to $635,000 for plaintiffs’ attorney fees;
- Pay $500.00 to each of the nine main plaintiffs in the lawsuit.
This proposed settlement comes right after an announcement that a declaratory judgment action brought by Liberty Mutual against Schnucks regarding coverage for the data breach had been dropped. A spokesman for the grocery chain was quoted as stating that Liberty Mutual and Schnucks had agreed to discuss alternatives to litigation.
Clearly, the business costs for this data breach have been extremely expensive. If Schnucks did not purchase proper data breach insurance, the costs will be even higher. Once again this incident demonstrates the critical reasons for proper privacy and data security insurance along with vigilant data security to prevent or limit a breach.
North Dakota recently amended its data breach notification statute to include “medical information” and “health insurance information” as personal information that could trigger consumer notification obligations if accessed in a breach of computerized data.
- “Health insurance information” is defined as: an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
- “Medical information” is defined as: any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
N.D. Cent. Code, § 51-30-01 (2013).
North Dakota joins several states that already include medical information as “personal information”, such as California, Texas and Missouri. The amended North Dakota statute was effective as of August 1, 2013. It remains to be seen if other states will also expand what is deemed personal information so as to trigger consumer notification in the event of a data breach.
Pursuant to the HITECH final rules, all organizations handling healthcare data must comply with new security and privacy rules by Monday, September 23rd. All covered entities and their business associates (BA) will be subject to revised data breach notification standards. Additional restrictions on how PHI can be used and disclosed will also begin next week. Covered healthcare entities must also ensure that their BAs and other subcontractors are compliant with the final HIPAA/HITECH privacy requirements.
For instance, a cloud service provider, or business associate, for a healthcare entity can now be found directly liable for protecting PHI even if the BA just stores the provider’s data. BAs are also responsible for ensuring that their subcontractors are also protecting a provider’s customer’s PHI. In addition, healthcare entities and their BAs will not have as much discretion in determining whether a data breach has occurred and if notification is required. The stricter regulations will likely lead to more notifications for data breaches.
All of the new rules that will certainly increase the risk assessments for healthcare entities and their BAs. Healthcare organizations and their BAs should ensure that they have proper cyber and privacy insurance to protect against these increased risks.
Despite tremendous publicity and public education about data breaches during the past several years, business entities continue to store personal information in unencrypted formats. The most recent example is a large Chicago medical provider, Advocate Medical Group. Advocate just announced that four computers were stolen from a Chicago hospital in July. The computers contained Personal Information for over 4 million patients. The information included patients’ names, addresses, dates of birth and social security numbers. Advocate does not believe that the computers were stolen for the PI or that the information has been used in any way. However, while the computers were password protected, the data was not encrypted. As a result, the medical group is now offering credit monitoring services to over four million individuals.
Needless to say, this breach response will be extremely costly for the medical provider and its insurance carriers. By failing to use encryption, the medical group has incurred significant risk and expense. This breach comes on the heels of the California Attorney General’s data breach report which announced that more than half of California’s 2012 data breaches involved unencrypted personal data. Businesses and their insurers must make encryption the number one priority for their data security in the future.