[BreachExchange] Preparing for a Potential Healthcare Data Breach Investigation

[Audrey McNeil]

https://healthitsecurity.com/news/preparing-for-a-potential-healthcare-data-
breach-investigation

A current and comprehensive risk management plan, including a good auditing
process, will be critical for organizations that must deal with a
healthcare data breach investigation. Covered entities and business
associates will be better able to help law enforcement and also ensure that
individuals and necessary agencies are properly notified.

A common part of the investigation process with healthcare data breaches is
when the discovery of the breach actually takes place, according to Mayer
Browns’ Cybersecurity & Data Privacy and Health Care attorney Laura
Hammargren.

“Is it the minute you know that something might have been breached? Or is
it when you have the full, comprehensive picture of what exactly happened?”
she said. “How certain do you have to be that the entity was breached,
before there is some sort of obligation?”

In some cases, an individual might suspect that a data breach took place,
but it must be confirmed. That is always a consideration with what law
enforcement looks into for a potential data breach, and the law may vary in
different locations.

“There can be a lot of different factors that impact how long takes to
figure out what exactly happened,” Hammargren stated. “Depending on what
kind of data breach or attack it was, for example, many of these incidents
are very sophisticated. Hackers may be able to cover their tracks very
well, so you may have no idea what information may have been lost, what
information may have been accessed, or to what extent it was accessed.”

An investigation may also need to determine how long the information had
been accessed, which can have a big impact the potential scope of the
breach and where the source was from, she added. Additionally, it often
takes a lot of forensic investigation to figure all of that out.

“A company’s computer system is complicated,” Hammargren explained, noting
that this can further complicate the investigation itself. “There are
usually several old systems and it might not be as clear as to what someone
would have access to. It’s not an easy process.”

There can be varied language as well within the law about what exactly
discovery or full knowledge of a data breach means, she reiterated.

Healthcare organizations may just receive an indication that certain
systems were accessed, but not be able to determine exactly which records
in that system were accessed. There could be several pages or different
components of those records, Hammargren noted.

For example, a hospital may know that a system contains Social Security
numbers. If that system is accessed, there is an obligation to notify
individuals about the potential of their Social Security number being
exposed.

It can be difficult to perfectly pinpoint the specific information that was
viewed, copied, or impacted in some way. Part of many organizations’ best
practices is to provide broad terms of what happened and explain that a
system containing certain data was accessed, but it is not guaranteed that
any specific information was truly exposed.

 Law enforcement will typically take the lead in any type of investigation,
Hammargren said. It can be a one-way information gathering process, where
law enforcement will lean very heavily on the healthcare entity to get
information.

“They want to secure evidence and will work with you on that,” she stated.
“But the law enforcement agency will generally be doing the investigation
and they will disclose whatever they want to.”

A law enforcement investigation could also potentially impact the data
breach notification process. For example, if the FBI would determine that
consumer notification could possibly compromise the investigation, it might
instruct a covered entity to delay in sending out notice of an incident.

However, healthcare organizations need to ensure that this is the case.
Both state and federal requirements allow for law enforcement
investigations, but entities need to not overly delay the notification
process at the same time.

CoPilot Provider Support Services, Inc. agreed to a $130,000 settlement
with the state of New York in 2017. In that instance, the New York Attorney
General determined that CoPilot waited over one year to provide notice that
a data breach exposed 221,178 patient records.

CoPilot stated that it delayed notification because of an ongoing law
enforcement investigation.

“The FBI never determined that consumer notification would compromise the
investigation, and never instructed CoPilot to delay victim notifications,”
the AG’s office said.

“General Business Law § 899-aa requires companies to provide notice of a
breach as soon as possible, and a company cannot presume delayed
notification is warranted just because a law enforcement agency is
investigating.”

Federal regulations, including HIPAA and the HITECH Rule are often key
concerns for potential ramifications following a data breach, Hammargren
said. Civil class-action lawsuits can also occur, but those are very
difficult to prove loss or harm.

The 2015 Anthem data breach that impacted 78.8 million individuals spawned
numerous class action lawsuits, with a $115 million settlement proposed in
2017. The organization “failed to properly protect personal information in
accordance with their duties, had inadequate data security, and delayed
notifying potentially impacted individuals,” according to the settlement.

However, the US Court of Appeals, Fourth Circuit, dismissed a data breach
lawsuit in February 2017 where a VA medical center was accused of privacy
and security violations.

William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC)
reported two separate data breaches in 2013 and 2014.

The Dorn VAMC data breaches created an “increased risk of future identity
theft,” the Plaintiffs stated. The necessary protection measures following
the incidents were also very costly. The appeals court though said that
there was a lack of subject-matter jurisdiction.

A “substantial risk of harm” could not be proven, the appeals court
maintained.

“Contrary to some of our sister circuits, we decline to infer a substantial
risk of harm of future identity theft from an organization's offer to
provide free credit monitoring services to affected individuals,” the
ruling said. “To adopt such a presumption would surely discourage
organizations from offering these services to data-breach victims, lest
their extension of goodwill render them subject to suit.”

Healthcare organizations should therefore ensure that they are adhering to
all state and federal regulations with the data breach notification
process, Hammargren stated. A comprehensive approach to cybersecurity will
also be crucial in prevention and detection measures.

“Entities will just want to make sure that they are well-versed in the
regulations,” she maintained. “Organizations may want to hire a forensic
expert to put in place, and ensure there is a current privacy plan, or
cybersecurity plan to safeguard from potential risks.”

Healthcare truly is a targeted industry for cybersecurity attacks because
of the amount of valuable information they hold, Hammargren said.

Healthcare organizations can also have older electronic systems in place,
or even legacy devices, in which it is more difficult to implement certain
protections. Smaller entities may not have the necessary funds for
implementing more intricate cybersecurity plans or systems, she noted.

“It is something to prioritize and to devote whatever resources you can to
implementing a plan,” Hammargren stated. “But hire consultants. Hire
someone with a good background and experience in it.”

These staff members can help to safeguard an organization from potential
cybersecurity threats, but could also be key should an incident occur and
regulators “come knocking,” she added.

“Someone with the right experience can help mitigate certain types of risk.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180403/9e200394/attachment.html>