Category: Data Privacy and Security

Safe Harbor Agreement Between United States and EU Ruled Invalid

For years, companies in the United States have relied on a Safe Harbor to the EU Directives (the stringent privacy requirements imposed by the European Union) to qualify for the ability to transfer protected data between EU countries and the United States. Today, however, the European Court of Justice ruled that the agreement between the EU and the United States that created the Safe Harbor is invalid. In addition, the European Court of Justice indicated that each of the 28 countries comprising the EU may make their own determinations as to how companies collect and use information gathered on its citizens, thereby removing the uniformity among the EU nations with regard to data privacy…. Continue Reading →

Anthem Data Breach: What You Need to Know Now

Health care data breaches are not new. The breach announced by health insurer Anthem on February 5, 2015 is notable mostly for its scope. According to Anthem’s statement, hackers utilized a very sophisticated cyber attack to gain access to the information of potentially 80 million current and former Anthem members. The information accessed included names, birthdays, medical IDs, Social Security numbers, addresses, email addresses, employment information and income data of current and former members, including Anthem employees. At the time of Anthem’s statement, there was no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted or compromised. The breach appears to be the largest cyber attack ever disclosed by a health care company.

Data breaches are complex and often are confusing for potentially affected individuals. As with any major event, there will be information published that is accurate and some that is inaccurate. It is important for all involved to operate based on accurate information. To aid in that effort, we offer the following information:

  • It is widely accepted and reported that medical information is 10 to 20 times more valuable on the black market than credit card numbers. This makes health care organizations attractive targets for criminals seeking to profit from such information. Most health care organizations make reasonable efforts to prevent unauthorized access to identifiable information, but staying ahead of the hackers has proven to be a complicated task.
  • Anthem is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); therefore, to the extent the identifiable information accessed by the hackers was provided to Anthem in its role as a health plan or as a third-party administrator of a health plan, it has obligations under HIPAA with respect to that information. HIPAA requires that written notice of a breach be provided to each affected individual and to the federal government. Because the breach involves more than 500 individuals, it will be subject to a mandatory investigation by the federal government. If the government investigation finds that Anthem did not have reasonable and appropriate safeguards in place or otherwise violated HIPAA, it may impose a civil monetary penalty.
  • Many states have data breach laws that may also apply to Anthem based on where the affected individuals reside. The requirements of those state laws generally are similar to HIPAA but may require notification on a shorter time frame and to the state’s Attorney General or other agency. States where affected individuals reside are also likely to investigate the breach and may impose a financial penalty if it is found that Anthem did not have reasonable procedures in place to protect and safeguard the information.
  • Individuals do not have the ability to sue for violations of HIPAA or most state data breach laws, but there have been several cases recently where individuals have sued health care organizations under common law theories of liability such as invasion of privacy or breach of fiduciary duty. In a breach the size of the Anthem breach, class action lawsuits based on one of these theories are likely to occur. In fact, it is our understanding that one was filed in Indiana on the same day that Anthem announced the breach.
  • It is likely that the majority of individuals affected will not experience any identity theft or other adverse effects from the Anthem breach. In addition, if an individual does experience identity theft subsequent to this breach, it may be difficult in many cases to identify which breach was the source for the information that led to the identity theft given the number of large breaches recently in the retail sector and the various other means that criminals have to access information. This could also hinder individuals from establishing the damages needed for a successful lawsuit.
  • Entities that suffer data breaches, including Anthem, typically offer to pay for credit monitoring services for all affected individuals, which can be an effective component of monitoring for unauthorized activity. The most effective action that any individual can take is to always be vigilant in monitoring activity on financial accounts and to notify your financial institutions immediately of any suspicious activities. Furthermore, whenever a breach involves a health care institution, individuals should closely monitor their Explanation of Benefit forms and any communications or information from their health care providers and insurers that may indicate that medical identity theft has occurred and report any suspicious activity to their health care provider or insurer.

Anthem has established a website,, to provide information about the breach. As well, current and former members can call (877) 263-7995 for additional information.

If you have questions regarding the data breaches or information security, please contact:

CMS Extends EHR Attestation Deadline for Eligible Hospitals

This week, the Centers for Medicare & Medicaid Services (“CMS”) announced that it is extending the deadline for eligible hospitals and critical access hospitals (“CAHs”) to attest to meaningful use for the Medicare Electronic Health Record  Incentive Program for the 2014 reporting year from 11:59 PM EST on November 30, 2014 to 11:59 PM EST on December 31, 2014.

This extension will allow more time for applicable hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment.

CMS is also extending the deadline for eligible hospitals and CAHs that are electronically submitting clinical quality measures to meet that requirement of meaningful use and the Hospital Inpatient Quality Reporting program. Hospitals now have until December 31, 2014 to submit their eCQM data via Quality Net.

If you have questions regarding meaningful use attestation deadlines, please contact:

OIG Fiscal Year 2015 Work Plan

On October 31, 2014, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released the Work Plan for Fiscal Year 2015 (“Work Plan”). The Work Plan confirms OIG will continue to concentrate a great deal of their enforcement efforts on the security and vulnerabilities of protected health information (“PHI”) contained in electronic health records (“EHRs”). The continued focus on data security contained in EHRs aligns with the goals of the OIG Strategic Plan 2014-2018, where OIG identified EHRs as one of its key focus areas until at least 2018.

Given the increased frequency and publication of health information breaches, it is no surprise the OIG for the first time indicated it plans to examine hospitals’ contingency plan policies and procedures to determine if adequate safeguards are in place in the event systems containing PHI are damaged. OIG also indicated it will continue to examine the Centers for Medicare & Medicaid Services’ (“CMS”) oversight of hospitals’ security controls over networked medical devices, such as dialysis machines, radiology systems and medication dispensing systems. OIG will also continue to conduct audits of eligible hospitals and professionals who received Medicare and Medicaid Meaningful Use Incentive payments to determine whether such payments were proper.

It is worth noting the Work Plan did not include assessing the security and vulnerabilities of portable devices containing PHI as a priority. This may be an indication  OIG has completed its review of the issue.

Click here to read OIG’s Work Plan.

If you have any questions or would like additional information about these topics, please contact:

Impacts of Heartbleed Exploit Come to Light

Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack, or possibly unscramble encrypted communications they’ve collected in the past…. Continue Reading →

IT Security Standards Hospitals Should Know About

Health information technology solutions that are remotely hosted or cloud based are becoming more common.  In these scenarios, a health care provider  is allowing its data – often times including protected health information (“PHI”) – to flow through or be stored in the vendor’s data center.  If PHI is involved, the parties should determine whether a Business Associate Agreement (“BAA”) is necessary for HIPAA compliance.  But knowing a vendor’s security standard – regardless of whether a BAA is in place – can provide the health care provider confidence that its data will be protected, with a lower risk of damaging breaches occurring…. Continue Reading →

FTC Issues Mobile Privacy and Security Publications

On February 1, 2013, the Federal Trade Commission (FTC) issued two publications recommending ways that key players in the mobile marketplace, such as operating system providers, application developers, advertising networks and analytics companies, can promote mobile privacy and security.

Continue Reading →

Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations

Attached is a link to a webinar that I recently conducted with Teramedica on Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations.

This one-hour webinar helps health care organizations gain tactical insight into the essential legal and business requirements of establishing an effective records management and data retention program. Patient data storage and data access is becoming one of the most costly and challenging areas of health care delivery.Continue Reading →

Court finds security system of bank is not commercially reasonable


In analyzing a claim under Article 4A (Electronic Funds Transfers) of the Uniform Commercial Code, the U.S. Court of Appeals for the First Circuit determined that a bank did not utilize commercially reasonable security procedures when it failed to monitor risk reports and decreased the dollar threshold which triggered use of challenge questions by customers.   Patco Construction Company, Inc. v. Peoples United Bank (July 3, 2012) . The practical take away from this ruling is that “commercially reasonable security” requires active monitoring and that the effectiveness and commercially reasonableness of security procedures can be impacted by treating all transactions as “high risk.”… Continue Reading →

Opinions about Mobile Device Privacy and Security Due to ONC by March 30, 2012

The public comment period regarding securing health information while using mobile devices ends on March 30, 2012. Information regarding ONC’s Mobile Device Roundtable discussion and a link to provide comments can be found here.

Should you have any questions, please contact Alisa Kuehn at 317.977.1475 or