In November 2019, the Department of Health and Human Services, Office for Civil Rights (“OCR”) imposed a $1.6M civil money penalty on the Texas Health and Human Services Commission (“TX HHSC”), Department of Aging and Disability Services (“DADS”) for HIPAA violations.
In June 2015, DADS reported a breach of electronic protected health information (“ePHI”) to OCR. DADS discovered that the ePHI of 6,617 individuals was viewable online, including names, addresses, Medicaid numbers, and social security numbers. A flawed software code allowed this data to be accessible without access credentials.
OCR determined that DADS failed to conduct an enterprise-wide security risk assessment and failed to implement audit controls and access controls, as required by the HIPAA Security Rule. As is nearly always the case in HIPAA enforcement actions, while the breach itself may have initiated the OCR investigation, flaws in DADS’ HIPAA compliance program also were cited in OCR’s determination to issue the civil money penalty. While a covered entity or a business associate may not always be able to prevent a HIPAA breach, it can ensure that it has a robust compliance program in place. Notably, one factor cited repeatedly in OCR enforcement actions over the past several years is the lack of an enterprise-wide security risk assessment. Organizations should prioritize compliance with this HIPAA requirement.
In determining the amount of the civil money penalty levied on DADS, OCR acknowledges that DADS’ HIPAA noncompliance did not result in any known harm to individuals, nor limit their ability to receive health care. However, OCR also noted that, while DADS committed to OCR to complete an enterprise-wide security risk analysis within one year, it failed to do so. HIPAA-regulated entities should be advised that, once a governmental audit or investigation commences, it is important to make every attempt to ensure that your compliance program comports with the HIPAA regulations and guidance from OCR and, particularly, to fulfill any commitments made to the regulators.
Enterprise data breaches have proven to be costly. New research from Kaspersky has found that the cost of these breaches has risen to $1.41 million annually, up from $1.23 million in the previous year. An estimated 4,000 data breaches have already occurred during the first half of 2019, affecting over four billion users’ data. Consequently, enterprise organizations invested more in cybersecurity in 2019, with IT security budgets averaging $18.9 million compared to $8.9 million the previous year. Although the cost of each data breach has increased from year to year, Kaspersky’s survey, “IT security economics in 2019: how businesses are losing money and saving costs amid cyberattacks,” found that enterprises in 2019 have found ways to reduce these costs.
First, companies that have an internal Security Operations Center (“SOC”) limited their estimated cyberattack financial damage at $675,000, less than half the average impact of breaches in 2018. Internal SOC’s are typically responsible for the ongoing monitoring of security events and responding to incidents. Establishing an internal SOC, however, is no easy task. It includes recruiting analysts, building processes, and purchasing the necessary tools.
Second, the costs of a data breach can be reduced by creating a Data Protection Officer (“DPO”) position—34% of all companies that had a dedicated DPO reported no monetary loss. A DPO is typically charged with building and implementing a data protection strategy for an enterprise and managing compliance issues.
The report also indicated that outsourcing security measures to a Managed Service Provider (“MSP”) did not reduce financial loss resulting from data breaches. Rather, the survey showed that outsourcing may actually increase the financial impact of a data breach. In fact, the survey indicated that 23% of companies that outsourced their data security reported a financial impact between $100,000 and $249,000, while only 19% of businesses with an internal SOC team reported the same level of loss.
In sum, although these initiatives may seem difficult to justify at first, due to their potential strain on time and budgets, the numbers show that both initiatives are worthwhile investments as it will ensure that an enterprise is prepared for a data breach, allowing for a quick and efficient recovery.
On May 20, 2019, an amendment to the Oregon Consumer Identity Theft Protection Act passed unanimously in the Oregon House and Senate, and Governor Kate Brown signed the bill into law on May 24, 2019. This amendment changed the title of the state’s data protection law to the “Oregon Consumer Information Protection Act.” It also expanded the scope of the law, updating the types of information considered “personal information” and mandating vendor notification of breaches.
The amendment expands the definition of “personal information” to include user names or other information used to access a consumer’s online account. Breaches of this information would require notification pursuant to the requirements of the act.
In addition, vendors now are directly regulated under the act. The amendment adds a definition of “covered entity”—a person owning, licensing, maintaining, storing, managing, collecting, processing, acquiring or otherwise possessing personal information in the course of its activities. Persons contracting with such covered entities to maintain, store, manage, process or otherwise access personal information in the course of services provided to or on behalf of a covered entity are deemed “vendors” under the act.
The amendment specifies that vendors who discover a data breach, or who have reason to believe that a breach occurred, must notify the applicable covered entity no later than ten (10) days following discovery. Subcontractor vendors must notify the vendor with which they contract. If a breach involved personal information of more than 250 consumers, or if the vendor cannot determine how many consumers are impacted by a breach, the vendor is required to notify the Oregon Attorney General (unless the applicable covered entity has already done so).
Health care organizations and vendors regulated under HIPAA are exempt from the requirements of the act if the breached information is subject to HIPAA and they comply with their obligations under HIPAA. However, they must notify the Oregon Attorney General if the breach impacts more than 250 consumers.
The amendment to the act takes effect on January 1, 2020.
On May 6, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Touchstone Medical Imaging (Touchstone), a diagnostic medical imaging services provider, requiring a three million dollar financial settlement and a two-year Corrective Action Plan.
There are a number of lessons that HIPAA covered entities and business associates can glean from the Touchstone enforcement action, a notable one being that an entity should promptly and thoroughly investigate any security incident or potential data breach. Both OCR and the Federal Bureau of Investigation (FBI) notified Touchstone that one of its FTP servers was allowing uncontrolled access to patients’ protected health information (PHI). After initially denying the exposure, Touchstone eventually reported a breach of more than 300,000 social security numbers and other PHI. OCR found that both Touchstone’s investigation of the incident, as well as its notification, were not handled in a timely manner.
In investigating Touchstone, OCR also found that the entity did not conduct an accurate and thorough risk analysis—a key enforcement priority of OCR in recent years. As part of its Corrective Action Plan, Touchstone is required to conduct an enterprise-wide risk analysis, including creating an inventory of all of its equipment, systems, applications and off-site storage facilities that contain PHI. This is a key element for any organization in order to decide what systems and processes best secure PHI and other sensitive data.
In addition, OCR detailed that Touchstone failed to execute business associate agreements with its vendors, including its information technology vendors, prior to the disclosure of PHI. Similar to prior settlements, the Touchstone settlement emphasizes the importance of understanding which vendors will receive or have access to an organization’s PHI and having the parties involved execute a business associate agreement at the outset of the arrangement.
If approved by the U.S. District Court for the Northern District of California, the $117.5 million settlement agreement proposed by Yahoo on Wednesday will establish the largest common fund ever obtained in a data breach case.
In December 2016, Yahoo announced that login information for over 1 billion of its customer accounts had been stolen in August 2013. However, in October 2017, the company disclosed that an investigation by outside forensic experts revealed that all 3 billion accounts existing at the time had been impacted—making it one of the largest data breaches ever. The stolen information included users’ names, e-mail address, telephone numbers, dates of birth, security questions and answers and hashed passwords created using the MD5 algorithm, a process known to be vulnerable to brute force and hash collision attacks.
Victims filed a class action lawsuit alleging that Yahoo did not use appropriate safeguards to protect users’ personal information and deliberately failed to notify users that their personal information had been stolen. The suit also captures two smaller data breaches that occurred in 2014 and 2016. The proposed settlement would fund two years of credit monitoring for all class members and reimbursement for out-of-pocket expenses related to identity theft, lost time, paid user costs and small business costs, as well as attorney’s fees and costs and expenses, service awards for class representatives and notice and administration costs.
Yahoo and plaintiffs initially agreed to a settlement of $50 million, plus attorney’s fees and other expenses, but the proposal was rejected by U.S. District Judge Lucy Koh. In January 2019, Judge Koh ruled that this offer inadequately disclosed the total size of the settlement fund, the scope of non-monetary relief and the size of the settlement class, making it impossible for class members to assess the reasonableness of the offer. The court will hold a hearing on the revised settlement agreement on June 27, 2019.
On January 17, 2019, North Carolina Attorney General Josh Stein and North Carolina Representative Jason Saine announced proposed legislation intended to strengthen the state’s data protection laws.
The existing North Carolina Identity Theft Protection Act (ITPA) is similar to data breach laws in other states, and requires businesses to protect the sensitive information (e.g., social security numbers) of state residents. Businesses must implement policies governing the secure destruction of personal information and train employees accordingly. In the event of a data breach, the ITPA requires notification to impacted individuals without unreasonable delay.
In 2018, Attorney General Stein and Representative Saine introduced legislation to strengthen the ITPA, expanding the definition of a data breach to include a ransomware attack and requiring incident notification within fifteen (15) days. This legislation was not enacted. The 2019 version reflects certain modifications to last year’s proposal. In particular, the new proposed legislation gives entities up to thirty (30) days to report a data breach to those impacted North Carolina residents and the North Carolina Attorney General.
According to a fact sheet, the proposed legislation goes beyond most breach reporting laws by requiring entities that determine an incident did not result in harm to document that determination for review by the North Carolina Attorney General. If enacted, this will bring greater scrutiny to data hacks, ransomware events and other incidents that may not necessarily result in reportable breaches under the federal HIPAA regulations or other state or federal laws.
Attorney General Stein also released a report summarizing the 1,057 data breaches reported to his office last year. According to the report, these breaches impacted more than 1.9 million North Carolina residents, which is a 63% decrease from 2017 when breaches impacted approximately 5.3 million residents. As to the causes of these breaches, the report indicates that phishing schemes comprised 26% of the breaches, with hacking breaches decreasing slightly as compared to 2017.
On Friday, January 4, 2019, Marriott International, Inc. (“Marriott”) revealed that 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were included in the data stolen as part of the massive data breach of November 30, 2018. Although Marriott originally disclosed that the breach of its Starwood guest database, which includes Westin, W and Sheraton, included information such as e-mail addresses, credit card data and passport information, this new revelation increases lingering espionage concerns associated with the breach. Passport numbers serve as unique identifiers to those holding the passport. As such, these numbers may be used by hackers to track the travel itineraries of cyberattack victims, many of whom may be government officials or business executives.
A United States intelligence official and other sources familiar with the attack investigation have speculated that China may be behind the attack. The techniques used by the hackers are consistent with past cyberattacks sponsored by the Chinese government. This speculation adds a troubling aspect to the attack. If the Chinese government gained access to the passport information compromised in the attack, it would be able to increase the efficacy of future attacks by honing its espionage assets in on individuals of particular importance.
Marriott’s newest disclosure may affect its legal exposure
Multiple lawsuits seeking class-action certification were filed when news of the data breach originally broke. One such class action is seeking $12.5 billion in damages, which is equivalent to $25 for each of the 500 million cyberattack victims. This figure allegedly reimburses the victims for the costs associated with cancelling credit cards compromised in the attack. Marriott may expect to see its legal exposure rise along with the newest disclosures due to the particularly sensitive nature of passport numbers and the additional burden placed on victims in determining their individual exposure and obtaining new passport information.
Response from Capitol Hill
Lawmakers in the United States cited the Marriott data breach as another example of the increasing need for federal privacy laws. Among other things, lawmakers have called for “data minimization,” which generally relates to safeguarding potential cyberattack victims by requiring companies to discard sensitive consumer data that the companies no longer need. As the scale of the breach and the nature of the data compromised continue to come to light, we can expect to see renewed calls from lawmakers in favor of federal privacy laws.
Marriott’s January 4, 2019, press release may be found here.
Last Friday, November 30, 2018, Marriott International, Inc. (“Marriott”) disclosed a data breach impacting up to 500 million guests who stayed at its Starwood properties across the globe. The breach centered on the Starwood guest reservation database, which holds information such as mailing addresses, e-mail addresses, payment card data, passport numbers and arrival and departure dates.
This breach is different from others because of the variety of data accessed
While it remains unclear what information the hackers were targeting, it is likely that this breach is about more than just stealing payment card information. In this case, the hackers were able to get a bounty of nonfinancial information, which can easily be combined with other information available on the black market to make it even easier for a bad actor to assume someone’s identity. Having this extra information can aid hackers in answering security questions that can enable access to password-protected accounts. The information can also be used to create more personalized and detailed phishing attacks, where a hacker sends an e-mail to a particular person that appears to be legitimate but is actually from a criminal attempting to gain access to information. By including highly personal and detailed information regarding travel dates and locations, phishing e-mails can be harder to detect.
Many experts reported that the data has not appeared to be for sale on the “dark web.” In general, when stolen data does not pop up on the dark web, it is a state actor obtaining the data for intelligence reasons.
The breach may have been ongoing for four years
Marriott said that an internal security tool found an attempt to access the guest reservation database on September 8, 2018. A further investigation then revealed that the hackers have had access to the Starwood database since 2014.
Adding another headache for Marriott is a smaller breach approximately three years ago. In 2015, Starwood reported a breach where attackers installed malware on point-of-sale systems in some hotels to gain payment card information. This breach was disclosed four days after Marriott announced the deal to acquire Starwood. Marriott has responded that the 2015 incident was not related to the current breach. But many experts in the field say that a more thorough investigation into the 2015 incident may have uncovered the hackers who continued to have access for three more years.
A class-action lawsuit was filed
A national class action law suit was filed alleging that Marriott failed to “properly safeguard consumers’ highly sensitive and confidential information.” The complaint does not disclose the amount sought in damages.
Additionally, the United Kingdom’s data protection commissioner and attorneys general from several states, including Maryland, Massachusetts, New York, Pennsylvania and Texas have stated that they intend to look into the incident.
There could be an impact on due diligence in deals
Because it appears as though the hackers had access to the Starwood guest reservation database before the 2016 merger with Marriott, many are questioning the cybersecurity due diligence. We have seen data breaches affecting large deals in the past, but typically a breach has been discovered prior to closing the deal. Here, however, Marriott contends it just learned of the breach this September, about two years after the $13.6 billion deal.
While Marriott does have cyber insurance, it will have to absorb the full financial (and reputational) impact from the breach, which could get expensive. In Europe, for example, under the General Data Protection Regulation (GDPR) companies can be fined up to 4% of global revenue.
Regulatory authorities and courts will also likely investigate whether Marriott was “reasonable” in its due diligence of Starwood’s cybersecurity systems and procedures. This could have far-reaching effects on cybersecurity diligence and make a complete review of a target’s cybersecurity regime become the norm.
Because of the variety of information accessed, individuals who believe their data may be compromised should immediately freeze their credit by contacting the three major credit bureaus. Marriott is also offering guests one free year of enrollment in WebWatcher, which monitors websites where personal information is shared and notifies a consumer if any of his or her personal information is found.
We can expect to keep hearing about this breach for a while.
On September 26, 2018, ride-share company Uber Technologies Inc. agreed to a settlement with the attorneys’ general in all 50 states and the District of Columbia in response to allegations that it concealed a data breach. This follows an April 2018 settlement between Uber and the Federal Trade Commission following allegations that Uber deceived its customers regarding this incident.
Last November, Uber disclosed that it paid hackers a ransom of $100,000 to destroy data related to a breach of a cloud-based service used by the company. This breach, which occurred in late 2016, involved the names, e-mail addresses and cell phone numbers of 57 million Uber riders and drivers, as well as drivers’ license numbers of approximately 600,000 drivers. Failure to timely notify impacted individuals of a data breach is a violation of the breach notification and reasonable data security laws in many states.
The financial settlement will be divided among the states and the District of Columbia based on the number of drivers in each, with New York receiving approximately $5.1 million, Illinois receiving $8.5 million and California receiving $26 million. Illinois Attorney General Lisa Madigan announced that she intends to provide $100 to each impacted Uber driver in Illinois.
In addition to the financial terms, the settlement also requires Uber to implement a corporate integrity program that allows its employees to report unethical behavior. Uber also must hire an independent third party to review its data security practices on a regular basis, and it must adopt model breach notification and security practices.
In a blog post on the Uber website, Uber’s Chief Legal Officer Tony West referenced the hires of Uber’s Chief Privacy Officer and Chief Trust & Security Officer. In noting how Uber is continuing to invest in protecting customer data, West acknowledged that “trust is hard to gain and easy to lose.”
You can read more about the breach here.
Following a report of a breach of protected health information, on August 29, 2018, the New York Attorney General announced a settlement with Arc of Erie County, a social services agency that serves persons with developmental disabilities and their families. Arc of Erie County received a $200,000 financial penalty plus a Corrective Action Plan, which requires Arc of Erie County to conduct a HIPAA-required security risk assessment and submit a report of that assessment to the attorney general’s office.
Under HIPAA, Arc of Erie County and other covered entity health care providers are required to implement appropriate physical, technical and administrative safeguards to protect clients’ protected health information. In March 2018, Arc of Erie County notified impacted clients and the attorney general of a breach of client health information involving a website designed for internal staff access that was visible online, with information from that site found through search engines as well. The data that was available to the public included full names, social security numbers, addresses and dates of birth. A forensic investigation demonstrated that individuals outside the United States accessed the links to the sensitive data many times. The data breach impacted 3,751 New York residents.
In addition to the Department of Health and Human Services, Office for Civil Rights, the HIPAA regulations provide state attorneys’ general with HIPAA enforcement authority. The New York Attorney General’s office concluded that Arc of Erie County failed to implement appropriate physical, technical and administrative safeguards to protect its clients’ health information, as required by HIPAA. The attorney general’s office determined that this resulted in an impermissible disclosure of electronic protected health information.
This enforcement action emphasizes the need for all organizations, even not-for-profit, community-based providers, to conduct enterprise-wide security risk assessments. Data gleaned from such assessments should be the basis for the organization’s risk management plan, which is also a HIPAA requirement. These items are fundamental parts of a covered entity or business associate’s HIPAA compliance program and elements that will be requested in any governmental audit or investigation of HIPAA compliance.