Mount Sinai Data Breach Is Wake-Up Call for Compliance Officers, In-House Counsel
A 25 million record data breach at a collection agency serving hospitals including New York's Mount Sinai and laboratories including Quest Diagnostics and LabCorp is a wake-up call for in-house counsel and compliance officers to address risks from business associates, lawyers said.
September 04, 2019 at 05:37 PM
9 minute read
The original version of this story was published on Corporate Counsel
In-house attorneys and compliance officers at health care providers are coping with an ever-rising number of serious data breaches affecting millions of patients, and they need to take further action to prevent them, lawyers who advise hospitals and health systems said.
In one of the latest disclosures, Mount Sinai Health System in New York City recently began notifying more than 33,000 patients of Mount Sinai Pathology Associates of a compromise involving their personal information. The compromise is a result of a months-long security breach at American Medical Collection Agency of Elmsford, New York, a debt collection service that has since filed for Chapter 11 bankruptcy in the Southern District of New York in White Plains.
The AMCA data breach, disclosed publicly in June, now comprises more than 25 million patient records, including those of customers of Quest Diagnostics Inc. laboratories and its subcontractor and Lab Corp., whose bills had been referred for collection, and more than a score of other providers.
Mount Sinai said it had no further update Wednesday. Steven Wilamowsky, a partner at Chapman and Cutler's bankruptcy group in New York City, who is representing AMCA parent company Retrieval-Masters Creditors Bureau Inc. in its bankruptcy petition, declined to comment Wednesday. He said he was not authorized to do so. An email and phone call to a public relations representative for AMCA at the Brunswick Group also did not receive a response by deadline.
Exposed patient data included names, dates of service, provider names, referring physicians and health insurance information. Some patients also had financial information, such as credit card numbers, compromised.
New York Attorney General Letitia James' office is investigating the AMCA data breach along with Connecticut, Illinois and more than 20 other states, according to a New York OAG spokesperson. At least one class action lawsuit against Quest Diagnostics in connection with the breach already has been filed in U.S. District Court for the District of New Jersey.
"There have been a number of wake-up calls in the health care industry to get their act together, but now this is a wake-up call of the risk of vendors," said attorney Gregory Fliszar, a member of Cozen O'Connor's health care litigation practice in Philadelphia, who formerly was compliance counsel for a national insurance company.
"They are going to have to do a little bit more. A business associate agreement is not enough. They are going to have to do their due diligence and do some monitoring to make sure their vendors who have access to their PHI [protected health information] have the appropriate procedures in place and are abiding by them," Fliszar said.
Medical data breaches are the costliest of all with a per-incident cost in 2018 averaging $408 per record, roughly three times higher than the cross-industry average, according to an annual survey by the Ponemon Institute and IBM.
Retrieval-Masters filed for reorganization in June in connection with the breach, which it says began Aug. 1, 2018, when someone gained access to the system through AMCA's payment portal, and continued until March 2019 when the data leak was discovered, according to court documents. The company said in the bankruptcy filing that it was seeking reorganization to protect itself from creditors as AMCA had lost its biggest clients and already had spent more than spent $400,000 on information technology consultants and the like to fix the problem, and $3.8 million more to send out 7 million initial data breach notices.
Health care providers' liability from data breaches comes mainly from the U.S. Department of Health and Human Services, which enforces the federal Health Insurance Portability and Accountability Act of 1996 and its privacy regulations, and from state governments, because generally there is no private right of action.
But sometimes people can sue under state privacy or consumer protection laws because entities didn't comply with HIPAA, said Mark Swearingen, a health information, privacy and security shareholder at Hall, Render, Killian, Heath & Lyman in Indianapolis, whose practice focuses on health information privacy and security, including HIPAA and Health Information Technology for Economic and Clinical Health Act, or HITECH, compliance.
The massive AMCA breach comes at a time of stepped-up enforcement by HHS's Office of Civil Rights, which has levied record fines against some defendants in the last few years. In 2018, the office settled 10 cases and secured one judgment, totaling $28.7 million, an all-time record.
The office also made the single largest individual HIPAA settlement in history of $16 million with Anthem Inc., last year for a breach in which cyberattackers stole the protected health information of a record 79 million individuals.
And a federal judge in San Francisco also approved a $115 million settlement in 2017 in class action lawsuits connected with the 2015 Anthem breach. So in-house counsel and compliance officers have every reason to do the most to help protect their institutions.
Swearingen said it is not uncommon for a third party to be the party where the breach occurred, but hospitals and other health care providers can still be held accountable.
"Are the hospitals at risk of liability? Yes. It is their data if it is in the hands of a hospital's business associates and id a breach happens, it is still the [protected health information] of the hospital. So they can be held responsible for the failure to safeguard it. But [HHS Office of Civil Rights] has generally looked to the party that is responsible for the wrongdoing," Swearingen said, if there is a business associate agreement between the two parties.
On the state regulatory side, a provider could be liable under state privacy and data protection laws as well, he said.
"State attorneys general have the ability under HIPAA to investigate, but they can't do it while a federal investigation or action is pending. There would have to be some coordination between the two," he said.
In-house counsel and compliance officers at institutions can't assume their business associates are doing the right thing, the attorneys said.
"Having been through this several times with several clients, don't assume anything. You have to go through the steps of assessing your risks and vulnerabilities and identifying them, ranking them and fixing them," Swearingen said. Providers also should check to make sure business associates are following the necessary policies and procedures.
In-house counsel need to:
- Make sure their institutions have business associate agreements with all of their associates.
- Make sure the agreements cover the institutions in the event of an incident by addressing who is going to pay for the cost of a data breach and apportioning liability in writing.
- Make sure the institutions carry cyber and network security liability for the risks, and require that business associates/vendors also carry that insurance.
- Be selective about vendors and have criteria they must meet before they have access to your data. Have requirements for good security built into the contracts and require them to submit to periodic audit or questions about it and provide copies for documentation of security practices.
- Avoid contracting with entities that don't have proper security.
Swearingen, who said his firm has advised clients affected by the AMCA breach, said clients who "do the best with privacy and security have strong leadership from the very top, the CEO and the board. Organizations with strong buy-in will allocate the proper resources and realize the importance and the risk involved." General and in-house counsel, privacy and security officials, and compliance officers can do their part, "but it has to be supported at the highest level," he said.
Aside from Quest, LabCorp., BioReference Laboratories Inc. and Mount Sinai, which was the 24th known entity victimized in the AMCA breach, other companies affected include Austin Pathology, American Esoteric, Laboratories Arizona Dermatopathology, CBLPath, Laboratory of Dermatopathology ADS, Natera, Seacoast Pathology and South Texas Dermatopathology, and Wisconsin Diagnostic Laboratories. More disclosures are still possible, lawyers said.
Hackers increasingly are focusing cyberattacks on specific medical targets that store or have access to patient data, according to cybersecurity company FireEye researchers, who also said the health care sector is seeing a high frequency of financially motivated cyberattacks.
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBig Tech and Internet Companies Slammed With Consumer Class Actions in December
Amid Growing Litigation Volume, Don't Expect UnitedHealthcare to Change Its Stripes After CEO's Killing
6 minute readFatal Shooting of CEO Sets Off Scramble to Reassess Executive Security
5 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250