In-house attorneys and compliance officers at health care providers are coping with an ever-rising number of serious data breaches affecting millions of patients, and they need to take further action to prevent them, lawyers who advise hospitals and health systems said.

In one of the latest disclosures, Mount Sinai Health System in New York City recently began notifying more than 33,000 patients of Mount Sinai Pathology Associates of a compromise involving their personal information. The compromise is a result of a months-long security breach at American Medical Collection Agency of Elmsford, New York, a debt collection service that has since filed for Chapter 11 bankruptcy in White Plains in the Southern District of New York. 

The AMCA data breach, disclosed publicly in June, now comprises more than 25 million patient records, including those of customers of Quest Diagnostics Inc. laboratories and its subcontractor;  Lab Corp. and BioReference Laboratories Inc., whose bills had been referred for collection, and more than a score of other providers.

Mount Sinai, was the 24th known entity victimized in the AMCA breach. Other companies affected include Austin Pathology; American Esoteric Laboratories; Arizona Dermatopathology; CBLPath, Inc.; Laboratory of Dermatopathology; ADS; Natera; Seacoast Pathology; South Texas Dermatopathology and Wisconsin Diagnostic Laboratories. More disclosures are still possible, lawyers said.

Mount Sinai said it had no further update on Wednesday. Steven Wilamowsky, a partner at Chapman and Cutler's bankruptcy group in New York City, who is representing AMCA parent company Retrieval-Masters Creditors Bureau Inc. in its bankruptcy petition, declined to comment on Wednesday. He said he was not authorized to do so. An email and phone call to a public relations representative for AMCA at the Brunswick Group also did not receive a response by deadline.

Exposed patient data included names, dates of service, provider names, referring physicians and health insurance information. Some patients also had financial information, such as credit card numbers, compromised.

New York Attorney General Letitia James' office is investigating the AMCA data breach along with Connecticut, Illinois and more than 20 other states, according to a New York OAG spokesperson. At least one class action lawsuit against Quest Diagnostics in connection with the breach already has been filed in U.S. District Court for the District of New Jersey.

"There have been a number of wake-up calls in the health care industry to get their act together, but now this is a wake-up call of the risk of vendors," said attorney Gregory Fliszar, a member of Cozen O'Connor's health care litigation practice in Philadelphia, who formerly was compliance counsel for a national insurance company.

"They are going to have to do a little bit more. A business associate agreement is not enough. They are going to have to do their due diligence and do some monitoring to make sure their vendors who have access to their PHI [protected health information] have the appropriate procedures in place and are abiding by them," Fliszar said. 

Medical data breaches are the costliest of all with a per-incident cost in 2018 averaging $408 per record, roughly three times higher than the cross-industry average, according to an annual survey by the Ponemon Institute and IBM.

Retrieval-Masters filed for reorganization in June in connection with the breach, which it says began Aug. 1, 2018, when someone gained access to the system through AMCA's payment portal, and continued until March 2019 when the data leak was discovered, according to court documents. The company said in the bankruptcy filing that it was seeking reorganization to protect itself from creditors as AMCA had lost its biggest clients and already had spent more than spent $400,000 on information technology consultants and the like to fix the problem, and $3.8 million more to send out 7 million initial data breach notices.

Health care providers' liability from data breaches comes mainly from the U.S. Department of Health and Human Services, which enforces the federal Health Insurance Portability and Accountability Act of 1996 and its privacy regulations, and from state governments, because generally there is no private right of action

But sometimes people can sue under state privacy or consumer protection laws because entities didn't comply with HIPAA, said Mark Swearingen, a health information, privacy and security shareholder at Hall, Render, Killian, Heath & Lyman in Indianapolis, whose practice focuses on health information privacy and security, including HIPAA and Health Information Technology for Economic and Clinical Health Act, or HITECH, compliance. 

The massive AMCA breach comes at a time of stepped-up enforcement by HHS's Office of Civil Rights, which has levied record fines against some defendants in the last few years. In 2018, the office settled 10 cases and secured one judgment, totaling $28.7 million, an all-time record.

The office also made the single largest individual HIPAA settlement in history of $16 million with Anthem Inc.last year for a breach in which cyberattackers stole the protected health information of a record 79 million individuals.

And a federal judge in San Francisco also approved a $115 million settlement in 2017 in class action lawsuits connected with the 2015 Anthem breach. So in-house counsel and compliance officers have every reason to do the most to help protect their institutions.

Swearingen said it is not uncommon for a third party to be the party where the breach occurred, but hospitals and other health care providers can still be held accountable.

"Are the hospitals at risk of liability? Yes. It is their data if it is in the hands of a hospital's business associates and a data breach happens, it is still the [protected health information] of the hospital. So they can be held responsible for the failure to safeguard it. But [HHS Office of Civil Rights] has generally looked to the party that is responsible for the wrongdoing," Swearingen said, if there is a business associate agreement between the two parties.

On the state regulatory side, a provider could be liable under state privacy and data protection laws as well, he said.

"State attorneys general have the ability under HIPAA to investigate, but they can't do it while a federal investigation or action is pending. There would have to be some coordination between the two," he said.

In-house counsel and compliance officers at institutions can't assume their business associates are doing the right thing, the attorneys said.  

"Having been through this several times with several clients, don't assume anything. You have to go through the steps of assessing your risks and vulnerabilities and identifying them, ranking them and fixing them," Swearingen said. Providers also should check to make sure business associates are following the necessary policies and procedures.

In-house counsel need to: 

  • Make sure their institutions have business associate agreements with all of their associates.
  • Make sure the agreements cover the institutions in the event of an incident by addressing who is going to pay for the cost of a data breach and apportioning liability in writing.
  • Make sure the institutions carry cyber and network security liability for the risks, and require that business associates/vendors also carry that insurance.
  • Be selective about vendors and have criteria they must meet before they have access to your data. Have requirements for good security built into the contracts and require them to submit to periodic audits or questions about it and provide copies for documentation of security practices.
  • Avoid contracting with entities that don't have proper security. 

Swearingen, who said his firm has advised clients affected by the AMCA breach, said clients who "do the best with privacy and security have strong leadership from the very top, the CEO and the board. Organizations with strong buy-in will allocate the proper resources and realize the importance and the risk involved." General and in-house counsel, privacy and security officials, and compliance officers can do their part, "but it has to be supported at the highest level," he said.

Hackers increasingly are focusing cyberattacks on specific medical targets that store or have access to patient data, according to researchers at cybersecurity company FireEye , who also said the health care sector is seeing a high frequency of financially motivated cyberattacks.

Read More: