- A current and comprehensive risk management plan, including a good auditing process, will be critical for organizations that must deal with a healthcare data breach investigation. Covered entities and business associates will be better able to help law enforcement and also ensure that individuals and necessary agencies are properly notified.
A common part of the investigation process with healthcare data breaches is when the discovery of the breach actually takes place, according to Mayer Browns’ Cybersecurity & Data Privacy and Health Care attorney Laura Hammargren.
“Is it the minute you know that something might have been breached? Or is it when you have the full, comprehensive picture of what exactly happened?” she said. “How certain do you have to be that the entity was breached, before there is some sort of obligation?”
In some cases, an individual might suspect that a data breach took place, but it must be confirmed. That is always a consideration with what law enforcement looks into for a potential data breach, and the law may vary in different locations.
“There can be a lot of different factors that impact how long takes to figure out what exactly happened,” Hammargren stated. “Depending on what kind of data breach or attack it was, for example, many of these incidents are very sophisticated. Hackers may be able to cover their tracks very well, so you may have no idea what information may have been lost, what information may have been accessed, or to what extent it was accessed.”
An investigation may also need to determine how long the information had been accessed, which can have a big impact the potential scope of the breach and where the source was from, she added. Additionally, it often takes a lot of forensic investigation to figure all of that out.
“A company’s computer system is complicated,” Hammargren explained, noting that this can further complicate the investigation itself. “There are usually several old systems and it might not be as clear as to what someone would have access to. It’s not an easy process.”
There can be varied language as well within the law about what exactly discovery or full knowledge of a data breach means, she reiterated.
Healthcare organizations may just receive an indication that certain systems were accessed, but not be able to determine exactly which records in that system were accessed. There could be several pages or different components of those records, Hammargren noted.
For example, a hospital may know that a system contains Social Security numbers. If that system is accessed, there is an obligation to notify individuals about the potential of their Social Security number being exposed.
It can be difficult to perfectly pinpoint the specific information that was viewed, copied, or impacted in some way. Part of many organizations’ best practices is to provide broad terms of what happened and explain that a system containing certain data was accessed, but it is not guaranteed that any specific information was truly exposed.
Law enforcement will typically take the lead in any type of investigation, Hammargren said. It can be a one-way information gathering process, where law enforcement will lean very heavily on the healthcare entity to get information.
“They want to secure evidence and will work with you on that,” she stated. “But the law enforcement agency will generally be doing the investigation and they will disclose whatever they want to.”
A law enforcement investigation could also potentially impact the data breach notification process. For example, if the FBI would determine that consumer notification could possibly compromise the investigation, it might instruct a covered entity to delay in sending out notice of an incident.
However, healthcare organizations need to ensure that this is the case. Both state and federal requirements allow for law enforcement investigations, but entities need to not overly delay the notification process at the same time.
CoPilot Provider Support Services, Inc. agreed to a $130,000 settlement with the state of New York in 2017. In that instance, the New York Attorney General determined that CoPilot waited over one year to provide notice that a data breach exposed 221,178 patient records.
CoPilot stated that it delayed notification because of an ongoing law enforcement investigation.
“The FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” the AG’s office said.
“General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”
Federal regulations, including HIPAA and the HITECH Rule are often key concerns for potential ramifications following a data breach, Hammargren said. Civil class-action lawsuits can also occur, but those are very difficult to prove loss or harm.
The 2015 Anthem data breach that impacted 78.8 million individuals spawned numerous class action lawsuits, with a $115 million settlement proposed in 2017. The organization “failed to properly protect personal information in accordance with their duties, had inadequate data security, and delayed notifying potentially impacted individuals,” according to the settlement.
However, the US Court of Appeals, Fourth Circuit, dismissed a data breach lawsuit in February 2017 where a VA medical center was accused of privacy and security violations.
William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC) reported two separate data breaches in 2013 and 2014.
The Dorn VAMC data breaches created an “increased risk of future identity theft,” the Plaintiffs stated. The necessary protection measures following the incidents were also very costly. The appeals court though said that there was a lack of subject-matter jurisdiction.
A “substantial risk of harm” could not be proven, the appeals court maintained.
“Contrary to some of our sister circuits, we decline to infer a substantial risk of harm of future identity theft from an organization's offer to provide free credit monitoring services to affected individuals,” the ruling said. “To adopt such a presumption would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit.”
Healthcare organizations should therefore ensure that they are adhering to all state and federal regulations with the data breach notification process, Hammargren stated. A comprehensive approach to cybersecurity will also be crucial in prevention and detection measures.
“Entities will just want to make sure that they are well-versed in the regulations,” she maintained. “Organizations may want to hire a forensic expert to put in place, and ensure there is a current privacy plan, or cybersecurity plan to safeguard from potential risks.”
Healthcare truly is a targeted industry for cybersecurity attacks because of the amount of valuable information they hold, Hammargren said.
Healthcare organizations can also have older electronic systems in place, or even legacy devices, in which it is more difficult to implement certain protections. Smaller entities may not have the necessary funds for implementing more intricate cybersecurity plans or systems, she noted.
“It is something to prioritize and to devote whatever resources you can to implementing a plan,” Hammargren stated. “But hire consultants. Hire someone with a good background and experience in it.”
These staff members can help to safeguard an organization from potential cybersecurity threats, but could also be key should an incident occur and regulators “come knocking,” she added.
“Someone with the right experience can help mitigate certain types of risk.”