In the wake of the Anthem breach, hackers continue to target the healthcare industry. At the close of May, CareFirst BlueCross BlueShield reported a data breach that was initially discovered last year; however, when the incident was first noticed, the company believed they had adequately taken care of the problem. CareFirst said at the time it was believed they “had contained the attack and prevented any actual access to member information.” Unfortunately, ten months later, CareFirst discovered that the breach had, in fact, continued.
Information on about 1.1 million individuals was affected by the breach, which CareFirst discovered during an information technology security review conducted in the wake of the attacks on Anthem and Premera. In June 2014, according to CareFirst, hackers gained access to a single database where CareFirst stores data that is entered by members and other individuals in order to access the company’s websites and online services.
This incident offers a clear lesson to other organizations: it is time to review their security procedures and address gaps in protections before it is too late. Healthcare data is obtained and stored by a variety of entities that are expected to be aware of and acting to prevent these types of risks. Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns. In light of these most recent attacks, we are encouraging all our clients to conduct an internal audit of the security protocols and implement HIPAA policies and procedures to prevent exposure to new threats in the technological world.
If you have questions or would like to discuss your HIPAA compliance questions, please contact a member of the McGrath North Privacy and Data Security team.
Over the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013. Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.
In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information. The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act. In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act. On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding. Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.
Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches. Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions. For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.