How can providers keep pace with the evolving risks of network security and data privacy in the healthcare industry? Mario Paez, national practice advisor, Technology, Privacy, and Network Risk, Wells Fargo Insurance Services USA, gives his view.
According to the World Privacy Forum, stolen medical information is worth $50 on the street versus $1 or $2 for a Social Security number (SSN). A health record is more valuable because it can be used to access prescription drugs, pay for treatment, or submit false or inflated medical claims. Multiply the number of health records your organization has by $50 and you’ll quickly see why the healthcare industry has emerged as one of the most attractive and lucrative targets for identity thieves.
Between 2011 and 2013, 701 healthcare providers disclosed privacy breaches, and the risk is growing, exacerbated by the growing automation and adoption of electronic health records (EHRs), rapid changes in the healthcare delivery system, and millions of new patients entering the healthcare system as a result of the Affordable Care Act. Further, evolving data breach requirements and regulations at the federal and state levels will likely lead to increased fines, enforcement actions, and litigation.
Data breaches not only threaten providers’ reliability and resiliency, but could also result in significant financial losses. Consider these recent examples of breaches at healthcare organizations.
NYP and CU
In September 2010 New York-Presbyterian Hospital and Columbia University (NYP and CU) submitted a joint breach report to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding the disclosure of the protected health information (PHI) of 6,800 individuals, including patient status, lab results, vital signs, and medications.
Due to the lack of technical safeguards, the deactivation of a personal server on the NYP and CU shared data network resulted in PHI being accessible on internet search engines. In May 2014, NYP and CU agreed to pay the OCR a combined $4.8 million to settle charges that they potentially violated Health Insurance Portability and Accountability Act (HIPAA) rules.
The two institutions also agreed to “a substantive corrective action plan, which included undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.” The combined monetary assessment is the largest HIPAA settlement to date.
In late 2013, AvMed settled a $3 million class action lawsuit related to the December 2009 theft of two unencrypted laptops, which contained personal information—including names, addresses, SSNs, and medical data—on 1.2 million AvMed members. The settlement was unique, as it awarded plaintiffs regardless of whether or not they suffered identity theft. The agreement required AvMed to pay impacted customers $10 for each year they paid premiums prior to the theft, with a maximum of $30.
The settlement explained the amount as a ‘refund of premium overpayment’—money that AvMed should have spent on data security. Customers who suffered identity theft as a result of the breach could also claim reimbursement from AvMed.
The responsibility to protect private data
The regulatory environment, at both state and federal levels, has evolved significantly over the past few years. Government agencies are becoming more proactive in their requirements and enforcement actions pertaining to safeguarding PHI.
The 2013 modifications to the HIPAA Omnibus Rule, for example, include various new requirements for healthcare organizations’ collection, storing, and processing of PHI, as well as standards for use and disclosure of PHI with business associates. Effective September 22, 2014, covered healthcare organizations had to bring all of their Business Associate Agreements (BAAs) into compliance with the rules.
At the state level, data breach notification laws continue to evolve, further requiring healthcare organizations with personally identifiable information (PII) and PHI to comply with numerous, sometimes conflicting, requirements. To ensure compliance, it is vital for healthcare organizations and business associates to monitor the changing regulatory landscape and maintain updated breach response plans.
Wells Fargo Insurance has the experience, knowledge, and market relationships to help your organization implement a comprehensive strategy for managing technology, network security, and privacy liability. Working with the industry’s leading insurance markets, we provide access to cost-effective products that cover costs associated with:
- Unauthorized access or use of computer systems;
- Theft, loss, or wrongful disclosure of proprietary information;
- Identity theft;
- Data or network sabotage;
- Cyber extortion and cyber terrorism;
- Corruption or destruction of digital assets;
- Loss or theft of portable devices;
- Errors and omissions related to technology and the internet;
- First-party business income loss and electronic data restoration expenses;
- Regulatory defense, fines, and penalties;
- Consumer redress funds; and
- Crisis management.
For more information on this topic, contact Wells Fargo Insurance healthcare industry segment leader Terri Edwards at firstname.lastname@example.org n
This advisory is for informational purposes and is not intended to be exhaustive nor should any discussions or opinions be construed as legal advice. Readers should contact a broker for insurance advice or legal counsel for legal advice.
Products and services are offered through Wells Fargo Insurance Services USA, Inc, a non-bank insurance agency affiliate of Wells Fargo & Company.
Products and services are underwritten by unaffiliated insurance companies except crop and flood insurance, which may be underwritten by an affiliate, Rural Community Insurance Company. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other.
Mario Paez, US, World Privacy Forum, SSN, EHRs, ACA, NYP, CU, HHS, OCR, PHI, AvMed, Crisis management