On August 19, 2014, Community Health Systems Professional Services Corporation (“CHSPSC”) announced that foreign-based cyber-criminals by-passed the company’s security safeguards and accessed, copied, and transferred data on 4.5 million clinic and hospital-based physician patients. The data included patients’ names, addresses, birthdates, social security numbers, and, in some cases, telephone numbers, and employers’ and guarantors’ identities. According to the U.S. Department of Health and Human Services (“HHS”), this was the largest hacking incident to date in the health care industry. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
CHSPSC emphasized that no credit card, medical or clinical information was taken. Nonetheless, the company offered free identity theft protection and credit monitoring services to all affected individuals.
Presumably the information accessed was not encrypted. If it were, then the incident would have fallen within the safe harbor provisions of the breach notification rule and would have been exempt from the breach notification obligations. See, e.g. 74 Fed. Reg. 42740-42743 (August 24, 2009); 78 Fed. Reg. 5566, 5644-5647 (January 25, 2013) (“If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”). Moreover, CHSPSC’s comments in its public Data Breach Notification implied that the data was not encrypted, stating that the company had “implemented efforts designed to protect against future intrusions[ including] implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords.” http://www.chs.net/media-notice-august-19-2014/
LESSON LEARNED THE HARD WAY: Encrypt PHI in transit and at rest.
Many providers and others in the health care industry have applied security safeguards to protect their systems and data, such as firewalls, passwords, and screen locks, but they have not taken advantage of the safeharbor - encryption. Safeguards are critical but will not protect a company from liability if they fail and PHI is disclosed. The safeharbor will protect a company from liability under HIPAA even if the encryption code is hacked and the PHI is disclosed. Thus, for companies looking for protection, encryption is a “no-brainer.” Furthermore, encryption is much easier and less expensive than most people think. See, e.g., http://lifehacker.com/5677725/five-best-file-encryption-tools. Companies can purchase encrypted hard drives for computers and laptops, install tools on old ones, or use manual processes to encrypt under high risk circumstances. For example, information may be put into a Word document and encrypted before transmission.
What may be the most important consideration for a company considering whether to encrypt: The Office of Civil Rights, which enforces HIPAA, believes that encryption “is an easy method for making lost information unusable, unreadable and undecipherable.” If in fact encryption is reasonable and appropriate for an organization, then in the event someone breaks through the organization’s security safeguards, HHS likely will say that encryption was required under the circumstances. If so, the resulting penalties may be far more costly than encryption would have been.
CHSPSC’s decision not to encrypt, if it made such a decision, may have been appropriate under the circumstances. HHS instructs in its answers to FAQs:
[A decision about whether to encrypt] will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.
Accordingly, to avoid learning a costly lesson “the hard way,” companies handling or storing PHI should encrypt or document in writing their reason for not doing so, and why their security measures were reasonable and appropriate. Again, reporting will be required if the information is not encrypted, but mitigation and remediation costs and penalties may be less.
LESSON KNOWN AND CONFIRMED : Obtain and maintain appropriate insurance coverage.
Despite HIPAA breaches costing companies like CHSPSC millions, shares of CHSPSC stock climbed to a 52-week high of $53.82 eight days after the company announced the breach. See http://www.bizjournals.com/nashville/blog/health-care/2014/08/why-the-chs-data-breach-hasnt-phased-investors.html?page=all. Apparently, the company carried robust liability insurance it is confident will cover the incident. For this reason, although CHSPSC recognizes it is likely to incur "remediation expenses, regulatory inquiries, litigation and other liabilities" which some estimate will exceed $150 million, http://www.fiercehealthit.com/story/community-health-systems-breach-cost-estimated-75m-150m/2014-08-25, CHSPSC does not expect the breach to impact the company’s financial strength.
Companies should review their policies to ensure they have appropriate and sufficient privacy and data security liability coverage. As the frequency of security incidents and breaches rises and costs increase, it will become more important to ensure that definitions and coverage terms are clear and exclusions limited. Companies should also review the provisions relating to notice of security breaches and other covered incidents and/or submission of claims to their insurance carriers. Generally, it is prudent to notify insurers promptly upon learning of a potential breach, and begin involving the insurers early in decision-making about remediation and mitigation efforts, regulatory responses, media releases, and communications within the organization and to affected individuals.