Healthcare Entities Beware: Cyberattack vulnerability leads to HIPAA liability risk

In light of the recent U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settlements with healthcare organizations pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) last year, it is worth analyzing key potential liability concerns for healthcare clients, specifically as they relate to cyberattacks on sensitive protected health information (PHI).

HHS Resources for HIPAA Cybersecurity Compliance

The OCR has published multiple resources for covered healthcare entities to protect themselves and patients from cyber-attacks. The HHS website includes newsletters advising on HIPAA Rule compliance for defending against common cyberattacks, development of sufficient policies, and other helpful guidance.  Importantly, HHS released a Concept Paper in early December 2023 outlining its healthcare sector cybersecurity strategy—a key signal of HHS’ intent to enforce cybersecurity compliance more aggressively.

HHS’ recent focus on healthcare sector cybersecurity is undoubtedly linked to the Biden Administration’s National Cybersecurity Strategy released March 1, 2023, which detailed the federal approach to improving national cyber-defense and solidifying digital infrastructure in the United States’ inevitably digital future.  Essentially all key industries are undergoing a digital transformation through AI-launches and ever-advancing technology in delivery of service to consumers. 

Through its recently released Concept Paper, HHS details its plan to improve cybersecurity with concurrent steps of: establishing voluntary performance goals; providing incentive resources; and—most relevant—increasing enforcement and accountability for the healthcare sector.

Recent OCR Settlements

In October 2023, OCR and a medical management company (DMS) entered into a Ransomware Settlement after DMS’ network server was infected with ransomware from April 2017, going undetected by DMS until December 2018 when the ransomware encrypted files containing PHI.  More than 200,000 individuals’ electronic PHI (ePHI) was affected by this data breach.  DMS paid OCR $100,000 and entered into a resolution agreement after the OCR investigation found DMS failed to:  conduct sufficient risk analysis; implement proper audit procedures to track PHI-including system activity; and create and enforce acceptable policies and procedures to comply with HIPAA rules.  The resolution agreement required DMS to: review and update risk analyses for vulnerabilities in DMS PHI-related data; update its risk management plan to mitigate any security risks and vulnerabilities; revise written policies and procedures to better comply with HIPAA rules; and provide HIPAA training to all staff who have access to PHI.

In December 2023, OCR and a medical group specializing in emergency and occupational practice and laboratory testing (LMG) entered into a Phishing Settlement after LMG was victim to a phishing attack where an unauthorized hacker obtained access to an LMG owner’s email account.  LMG was unable to definitively identify which patients’ PHI was affected, thus leading to notification of all patients—nearly 35,000.  OCR investigation determined LMG failed to: conduct the requisite HIPAA risk analysis and implement policies and procedures to safeguard PHI through regular system activity review.  LMG agreed to pay OCR $480,000 and enter a corrective action plan through resolution agreement, including OCR-monitoring for two years.  The action plan requires LMG to: establish and implement a detailed risk management plan to reduce security vulnerability to ePHI (including conducting annual risk analyses); and develop and enforce written policies and procedures in compliance with HIPAA, including regular review of all records of information system activity and processes for evaluating when collection of new or different records must be updated.

Healthcare Cybersecurity and other Legal Risks of Data Breach

In addition to HHS penalties, data breach can also have other severe consequences on healthcare entities, including reputational damages, broken trust, monetary loss, and legal liability.  Data breach frequency continues to rise, with healthcare hit most often.

Focusing on fundamentals of cybersecurity is crucial, such as basic protections and best practices for reinforcement.  To strengthen healthcare data security, entities should encrypt sensitive data throughout the chain of custody; implement strict retention and destruction policies; minimize storing PHI on servers; establish comprehensive risk management policies; and investigate security practices of relevant third-party vendors or partners.  Implementing best practices should include standards for monitoring and access control of all individuals handling PHI; two-factor authentication credentials; automatic time-outs; password strength criteria and regular update requirements; and routine training on phishing, ransomware, and cybersecurity generally.

Despite an organization’s best efforts, though, data breaches compromising PHI can still occur.  When that happens, strict compliance with notification rules is necessary.  Under HIPAA, covered entities and their business associates must report a breach within 60 days of discovery.  If more than 500 individuals are affected, HHS, the media, and the affected individuals must also be notified.

Notably, it is not just the covered entities who can be held accountable under HIPAA.  Even individuals such as directors, employees, or officers of a covered entity can also be held directly and criminally liable for HIPAA violations, including both fines and possible jail time.  Though a patient cannot sue on the sole grounds of a HIPAA violation, patients can generally pursue damages through state privacy laws overlapping with HIPAA.

Cyber Liability Coverage

Many professional liability insurers offer cyber liability coverage which may provide comprehensive protection for high-risk sensitive information (SSN, DOB, PHI, billing records, etc.)  Some insurers also provide resources to help prevent breaches and expert guidance in necessary steps if a breach occurs.

Law Firms Beware – “Business Associates” by Definition