High profile data breaches across multiple industries have prompted state and federal regulators to adopt a more aggressive investigative role in uncovering systemic failures.
Data breach inquiries by state attorneys general across all industries have nearly doubled in the last year, from 37 to 64, according to a new data security report (PDF) from the law firm Baker Hostetler, which drew from their work with 560 incidents in 2017. Inquiries from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) increased from 13 to 22 over the last year.
“Regulatory investigations are no longer just informal inquiries that seek voluntary cooperation,” the report states. “More and more, we are seeing agencies issue subpoena-like civil investigative demands (CIDs) that require significant effort to respond.”
While the report spanned multiple sectors, healthcare outpaced all other industries with the highest number of incidents at 35%. The second-highest was education at 14%.
Highly publicized breaches like the one sustained by Equifax last year have thrust privacy issues into the spotlight. Lawyers note that AG investigations are often focused on systemic issues and focus on information related to the company’s incident response plan, employee training, policies and procedures and data loss prevention.
Earlier this month New York Attorney General Eric Schneiderman fined EmblemHealth $575,000 for a mailing error that exposed 80,000 Social Security numbers. Last year, he fined a health IT company $130,000 for a delayed breach notification.
Inquiries “often go well beyond the incident itself” and force organizations to acknowledge certain findings, according to the report. OCR can negotiate “far-reaching agreements” that can also be leveraged in future incidents.
Contingency plans are critical to protecting the availability, integrity, and security of PHI during unexpected adverse events. We offer best practices in our March 2018 #Cybersecurity newsletter: https://t.co/v7XCtWzqpt #HIPAA— HHS OCR (@HHSOCR) March 26, 2018
This month, the agency emphasized (PDF) the importance of contingency plans that can protect data during incidents like a ransomware attack.
Organizations “that are slow to investigate, are slow to notify and experience repeat data incidents may be especially vulnerable,” to regulator inquiries, Baker Hostetler attorneys wrote.
OCR has levied multimillion-dollar fines against several organizations in recent months. Notably, regulators fined Fresenius Medical Care of North America $3.5 million for five separate data breaches in 2012 that totaled just over 500 records, an indication that investigators were willing to punish organizations regardless of the size of the breach.