Recent pro-business court decisions have prompted the plaintiffs’ class action bar to turn to other lines of business that may be ripe for suit, and they have settled on hospitals, medical services providers and health insurance companies who have experienced a data breach. The U.S. Department of Health and Human Services (HHS) reports that the personal medical data for more than 11 million people has been made public in the last two years. According to the consumer advocacy group Privacy Rights Clearinghouse, just three data breaches in 2011 involved nearly 11 million patient records. And as President Obama incentivizes providers to expedite the transfer of all patient records into electronic databases, the risk of future data breaches of even greater consequence grows. Hospitals, medical practices, insurers and service providers across the country can no longer afford to be reactive.

Within the past year alone, four class actions suits have been filed pursuant to California’s Confidentiality of Medical Information Act of 1981. Similar actions were filed against one of these defendants in other places as well, including New York, before being coordinated in California. In that single action, where a data breach affecting 4.24 million patients has been alleged and a $1,000 per violation statutory damage figure (not counting attorneys’ fees) has been claimed, the costs could be astronomical. And, in another of these recently-filed class actions, plaintiffs’ counsel has already cited the decision by the Connecticut attorney general’s office to fine an affiliate of the defendant $370,000 two years ago in connection with an unrelated security breach as “a pattern of behavior” that must be penalized in the class action through punitive damages.

Although California is the prime location for class action suits to be filed due to its statutorily-set $1,000 per-person-per-violation damages figure, hospitals and medical service providers everywhere are at risk. For example, a class action suit was filed last year in the District of Columbia, also seeking $1,000 for each of 4.9 million affected beneficiaries.

Even when class action lawsuits do not result in payment of monetary damages, the associated costs can be high. In February, 2012, a judge in Hawaii approved the settlement of the first data breach class action lawsuit filed in that state. In that settlement, the defendant agreed to provide all 90,000-plus affected persons free credit monitoring and credit restoration services for two years. At an estimated cost of $15-$20 per person per month (if purchased individually), the financial burden is substantial.

Although it did not result from a class action suit, the first settlement stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in early 2009, was announced a few weeks ago. In that settlement, a health provider agreed to pay $1.5 million to the HHS even though, without the provider’s voluntary report of a data breach, HHS never would have known about the violation because there was no indication of any subsequent misuse of personal data. In addition to the settlement payment, the provider spent more than $17 million investigating, notifying and remediating the breach. Eighteen million five hundred thousand dollars later, there is a lesson to be learned: It appears that the provider may not have needed to store the breached data. The server was at a facility the provider no longer used, and the company had surrendered all of its property – except the data closet – prior to the breach. Had an appropriate destruction policy been in place (and had it been followed), these costs potentially could have been avoided.

Data breaches are happening everywhere. According to a report issued by PricewaterhouseCoopers based upon 600 interviews with health care executives in 2011:
  • More than 50% of the surveyed executives were aware of a data breach that had occurred at their organization within the past two years (theft accounting for approximately 66% of the reported breaches); and
  • 40% of the respondents stated they were aware of improper internal use of protected health data during that same time period.
Moreover, according to a study conducted by the Ponemon Institute LLC, the frequency of data breaches at health organizations jumped 32 percent in 2011 alone. That same study estimated that these breaches cost the industry $6.5 billion. The third biannual report by HIMSS Analytics and Kroll Advisory Solutions, titled “2012 HIMSS Analytics Report: Security of Patient Data,” reports that, when asked what contributed to these breaches:
  • 45% of respondents cited a lack of staff attention;
  • 31% cited the use of mobile devices to store protected data; and
  • 28% cited the sharing of information with third parties.
On this last point, the use of cloud-based systems raises additional issues, as it is not always clear who is responsible in the event of a breach, including who must notify affected individuals.

Despite these warning signs, the health care industry is largely unprepared. According to PricewaterhouseCoopers, although almost three-quarters of health care organizations plan to expand their use of electronic data:
  • Only 50% of health care organizations have addressed issues related to the use of mobile devices;
  • Only 47% have addressed issues related to health data privacy and security; and
  • Fewer than 25% of organizations have addressed issues related to the use of social media.
With members of the “millenial” generation comprising the fastest-growing segment of the labor market, up-to-date policies governing use of social media and online networks, appropriate times to work outside the office while accessing data inside the office, and technology in general (all issues that affect this generation more than others before) are becoming increasingly paramount.

But simply creating these policies is not enough. According to another report issued by a coalition of health care and data security groups, in which more than 100 health care industry executives were surveyed:
  • While roughly three-quarters of respondents believed their organization had taken “effective steps” to protect health information and had “effective policies” in place, only 28-32% of respondents believed that sufficient resources had been dedicated to meet those privacy and security requirements and stated that management did not view privacy and security as a priority.
When asked what the biggest hurdles they face are:
  • 59% cited lack of funding;
  • 40% cited lack of time; and
  • 32% cited insufficient executive support.
In fact, a Bloomberg Government study revealed that executives at healthcare providers, pharmaceutical companies and medical-device makers stated that they would need to increase spending on cyber security from roughly $23 million to $155 million annually to stop 95% of hacking attacks.

So what should you be doing?

While your company may never be exposed to a class-action lawsuit, chances are it will be the victim of a data breach. The foregoing suggests that the costs of taking steps now, while high, pale in consideration to the costs of remediating a data breach. As the saying goes, an ounce of prevention (even when that ounce seems more like a ton) is worth a pound of cure.

At minimum you should ensure that you have a well-thought out plan in place in the event that a data breach occurs. You also need to make sure that all of your other policies are up-to-date, including document retention and destruction policies, technology policies, and social media and online policies. You should also assess who within your organization has access to what information and, if someone does not need access to protected data, you should eliminate their access.

Next, you should design training programs to keep your action plan and employment policies top-of-mind and to ensure that your personnel understand and follow the plan and policies. Consider conducting fire-drills like you used to suffer through as grade school children. Also consider periodic compliance checks so that you can detect potential breaches and problems early. And, of course, make sure you have reliable counsel you can call on just in case the dreaded breach occurs.

For more information, please contact Kristi Davidson at (212) 440-4562 or kristi.davidson@bipc.com.