The legal and financial fallout of health data breaches

By Dan Bowman

In the Anthem breach, as with most other breaches, there are lots of factors at play when it comes to what an entity can and should do, and any future fallout, according to Boston-based healthcare attorney David Harlow.

For instance, Harlow (pictured) tells FierceHealthIT, while in the Anthem case, many are focusing on the Health Insurance Portability and Accountability Act from a national standpoint, state privacy laws often go further than HIPAA. HIPAA, he says, is merely a floor for what state can demand, not a ceiling.

"There are state agencies that can enforce those privacy laws and they can also form the basis of a private lawsuit," Harlow says. "In addition, if the Office for Civil Rights finds a violation of HIPAA, there certainly are fines and sanctions that go along with that, but the findings can form the basis of a finding of liability in a state court lawsuit. If you think of this like a personal injury lawsuit, where you have to prove each element of the case, there's a duty, there's a breach of the duty, there's a connection between the breach and the harm that is caused and there's actual harm. By having an OCR finding of a breach of HIPAA, you've made it easy for the plaintiff's attorney to prove one key component of that case; that there was a breach."

More and more states are accepting that kind of information as proof of a hack for breach of privacy lawsuits under common law, Harlow says. To that end, he calls the liability potential of the Anthem case "crushing."

"Before you even talk about lawsuits, the costs associated with communication, credit monitoring and all those sorts of things can be on the order of $100 to $200 per breached record," Harlow says. "Once you get into class-action lawsuits, that number can go up significantly."

Additionally, Harlow says, breached entities must be mindful that the Federal Trade Commission also has the authority to police such incidents concurrently with OCR. In fact, in recent years, he says, the FTC has determined a number of data breach cases to be unfair trade practices.

"In a significant case last year, they put a clinical lab out of business as a result of a breach," Harlow says. "The FTC doesn't have the authority to level fines as great as can be levied under HIPAA, but they have the ability to impose a compliance plan and monitoring and oversight that can last for years."

Harlow says that while Anthem did the right thing in getting out in front of the breach--creating a special website with FAQs about the breach for those impacted--he hopes to see it updated over time to become more of a "real hub" for information.

"To be as good as it can be, it needs to have some opportunity for communication with Anthem or with a communication contractor, because it's not just about people going to a website and looking at information," he says. "People are going to want to have some more real-time answers."

He adds that while encryption should be a standard practice, on its own, it won't solve the problem of breaches. In the Anthem case, he says, hackers gained access to administrative credentials, meaning they would have had access to the information, regardless of encryption.

Instead, he calls for multifactorial authentication.

"Something you have, like your fingerprints or your cellphone, or a fob that has some randomly generated code that changes very frequently and you need to look up the code and then use it to log into some restricted database," Harlow says.

He also suggests data minimization, coupled with the layering of protections.

"Why do we have all these different pieces of information about a person that could be used to reconstruct a profile that could be used for medical identity theft or financial identity theft?" Harlow says. "Some have said recently that the FTC perhaps has the authority to require healthcare organizations to use something other than a Social Security number as an identifier, and frankly, that would be a good idea. It's not necessary to use a Social Security number as a healthcare identifier; you're not supposed to do it, but some do. It's a shortcut that has now come back to bite a lot of people."

The legal and financial fallout of health data breaches