During 2017, the largest 10 HIPAA breaches reported affected 2.6 million people, according to the HIPAA Breach Reporting Tool.  A total of 335 HIPAA breaches in 2017 affected 4.9 million people. While 4.9 million records are a mere drop in the bucket compared to the Equifax breach affecting 145.5 million records, the number is massive when one thinks about health care organizations allowing unauthorized hackers to take data that one has a high expectation that their information will be kept private. In 2016, by comparison, there were 327 HIPAA breaches affecting 16.6 million persons, and in 2015, there were 269 breaches where hackers gained access to 113 million people. 

Hospitals have expended large portions of their budgets to create secure electronic medical records systems. However, the probability of patients having their very private medical records accessed and used by the "bad guys" seems to be relatively high. It is as though the dike is perforated with holes. The probability strong is that any hospital electronic medical record system will be hacked. The records that are taken can be used for years by the hackers to harm the individuals. 

One healthcare class action lawsuit filed against Banner Health, in the U.S. District Court for Arizona, exemplifies just the beginning of problems for a hospital institution where the hackers gained access to the medical record system. The Banner Health breach affected 3.7 million individuals. The hackers were described in the lawsuit as a “financially motivated threat group.” Apparently, the hackers first gained access to the hospital's credit card system at their food cafeterias allowing the hackers to then access patient and health plan member records.

The hackers got into the secure system on June 17, 2016, and then, for two weeks, were undetected. On June 29, 2016, the breach was discovered while techs were investigating "unusual slowness on various servers." The hospital then hired an outside firm to investigate the problem. On July 13, 2016, Banner learned that the unidentified "hackers" gained access to patient information. Banner reported that the patient and health plan information may have included names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers. On August 3, 2016, Banner publically announced the breach and stated that breach notification letters would be sent on September 9, 2016. 

In August 2016, a class action was filed against Banner Health that included seven causes of action including i) negligence, ii) negligence per se, iii) breach of contract, iv) breach of the implied covenant of good faith and fair dealing, v) breach of implied duty to perform with reasonable care, vi) unjust enrichment, and vii) violation of the Arizona Consumer Fraud Act. Banner Health thereafter filed a motion to dismiss the complaint for lack of standing and to strike the causes of action.  

On December 20, 2017, the Court issued an order dismissing three of the Plaintiffs’ claims: i) breach of contract, ii) breach of the implied covenant of good faith and fair dealing, and iii) breach of the implied duty to perform. The court agreed with Banner Health's argument that because the hospital had a pre-existing legal duty to protect the information, it could not be held liable for a breach of contract for the same duty -- if there even was an agreement with the Plaintiffs to maintain the security of the information, which the Court questioned.

However, the Court found that the Plaintiffs had standing to sue as they met the "injury-in-fact" requirement as articulated in a Ninth Circuit HIPAA case that concluded that a plaintiff meets the "injury-in-fact" requirement by alleging an "an increased risk of identity theft due to the theft of his or her PII even without alleging that any actual identity theft has occurred." The Court also found that the four of the claims should not be dismissed: negligence, negligence per se, unjust enrichment, and violation of the Arizona Consumer Fraud Act. 

A health care provider, after a major breach, faces numerous difficulties. These include the "soft" liabilities in form of the loss of trust by employees, patients, and, if a non-profit, donations and gifts. Patients, rightfully so, may in the future work to edit and limit what is placed in their medical records, fearful of the high likelihood that their private information could be made public. There is also the cost and hospital-ranking system "black mark" of civil, or possibly criminal, liabilities imposed by the U.S. Department of Health and Human Services (HHS) through its enforcement group, the Office of Civil Rights. In addition, state attorneys may bring their own causes of action against the institution resulting in further fines and impositions of costly oversight requirements like annual security audits.

Finally, there is the fact that a breach will most assuredly result in a class action lawsuit that could go on for years and cost the hospital extensive executive time and attention, examination of internal processes by aggressive plaintiff attorneys and investigators, and end with either a large settlement or payment of a judgment. While the Banner case moves forward into discovery, and then to trial, Anthem announced on June 23, 2017, that it settled a class action for $115 million for a 2015 breach exposing 80 million records. The settlement also required Anthem to devote a certain budgeted amount to information security over the next three years.  

Healthcare providers may now begin to consider dramatically increasing their IT security budget before such as breach limit make accessing the hospital electronic patient records much more difficult, if not impossible to access by the bad guy hackers who are probing the hospital's network for gaps and weaknesses even at this moment.

On October 27, 2016, the FCC, under the leadership of Chairman Wheeler, stepped into protecting internet privacy in a big way. The new FCC privacy order, passed 3 to 2 along party lines, is controversial with broadband providers and advertisers as being unnecessary, overreaching, and creating regulatory confusion. However, this is the year of privacy and cybersecurity.  Users, from the top to the bottom, have come to expect limited privacy and having their data hacked by bad guys and their personal web search history known by providers and web sites.  Lengthy privacy notices are quickly agreed to.  Internet users, basically all U.S. adults, know that, by living online on their iPads and looking down at their mobile phones, they are giving up what the U.S. society thought privacy was when there was just the telephone. The FCC is attempting to address this loss of internet privacy for the firms it has authority to regulate, the broadband service providers.

A New York Times article by Farhad Manjoo (10/19/16) says it all: “Whoever Wins the White House, This Year’s Big Loser is Email.” With the hacking of the Clinton email servers, a cybersecurity issue, and the constant reporting of the loss of personal and financial data, even from government servers, again a hacking issue, privacy demands have come to the forefront. The EU has become far more aggressive than the U.S. with privacy protection requiring, for example, opt-in cookie notifications for every web site. The FCC may be seeking to give users more mandated protection, like the EU has done.  While some broadband providers have voluntarily enacted pro-consumer privacy policies, the FCC order will now mandate the policies for all broadband providers. 

The new FCC order regulates privacy practices of broadband internet service providers only, carving out non-broadband providers or “web” and social media companies like Facebook or Google which the FTC (Federal Trade Commission) regulates.  Broadband providers are those firms connecting users to the Internet at the edge as opposed to web sites which are accessed through the connection of the customer’s broadband provider. Wheeler's concern has been that broadband providers, that are now more tightly regulated under rigorous Chapter 47 Title II regulation through the highly controversial Network Neutrality order a/k/a Open Internet Order, would require customers to pay higher fees in exchange for limiting privacy.  The underlying technical difference from broadband providers and web sites is that the broadband providers connect customers to the internet web sites. That internet connection, through cable, DSL, or mobile phones, gives providers access to users’ information not freely available to web companies. The two simple examples of the type of information always available to the broadband provider but not to a web site or app company include precise geo-location data and the unique address of every web page visited by the user. The FCC has regulated on a limited basis privacy in the past. The FCC require telecommunications firms (think voice service) to keep customer data confidential. These FCC CPNI rules (Customer Proprietary Network Information) included basic information like a number called by the customer and when it was called.  The FCC privacy order is now expanding its Internet privacy rules far beyond the telephone CPNI rules.

The new FCC rules give customers “opt-in” and “opt-out” rights for their broadband providers, limiting or expanding as authorized by the customers to make commercial use of the customers’ private, personal information. When signing up for broadband service, the FCC rule will give the user the privacy right to “opt-in” to a technical process that will allow their broadband provider to use and share with third-parties the customer’s sensitive information like precise GPS location, web browsing history, and app usage. Customers of broadband service providers will also have the right to “opt-out” from their broadband providers’ practice of using and sharing with third parties non-sensitive information like the customers’ email addresses.  Moreover, broadband service providers will now be required to provide easy to understand, “transparent” notices to their customers stating what information is being collected and how that information may be used or shared with third parties. The FCC order will mandate privacy protection practices, addressing the cyber security hacking problems, requiring broadband providers to use reasonable data security practices and to implement best practices consistent with the FTC’s rules and the President’s 2015 “Consumer Privacy Bill of Rights.”   If a broadband service provider is hacked, these policies could arguably protect the broadband provider against liability if the provider is shown to have been implementing the reasonable security practices.

The FCC’s privacy order also imposes a “common-sense data breach notification” requirement for broadband providers to giving consumers and law enforcement notice of breaches. These type of notices for web sites in the U.S. vary based on differing state regulations (Massachusetts and California, for example, have the most comprehensive privacy protection and notice requirements) or different vertical related industry service statutes such as HIPAA/HITECH for healthcare related services and Frank-Dodd for financial related services. One advantage of the regulation for broadband providers is that they will be subject to one, national set of privacy and cybersecurity rules and that potentially different state regulation of the broadband providers’ privacy and cybersecurity notice practices will be pre-empted by the FCC.

Arguments against the privacy order articulated by the two Republican commissioners and by broadband service providers and on-line advertisers contend that: a) the FTC has already regulated privacy of web companies, b) the FCC’s new opt-in privacy rule for broadband providers will be confusing to consumers, c) the order would treat internet providers differently than web companies like Google or AOL, favoring Google type companies over broadband service providers, d) the order went too far in protecting certain non-sensitive consumer information like names, addresses, and phone numbers, and e) like the lengthy dissent argument set forth in the Network Neutrality decision, the FCC failed to follow basic comment periods and information evidence gathering requirements needed to comply with administrative law as provided in Chevron v.  Natural Resources Defense Council, Inc., 467 U.S. 837 (1984).   Based on the comments provided by those opposing broadband providers and advertising associations opposing the new privacy order, it is likely that the order will be challenged and appealed.    

See more of Barlow Keener's articles at TMCNet

This blog/Web site is made available by the contributing lawyers or law firm publisher solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and the blog/Web site publisher or any contributing lawyer. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The FCC Hacks into Mobile Privacy  March 2016
By Barlow Keener, Attorney, Keener Law GroupCIPP (Privacy)/US Certified
 
The whole world of tech pundits, tweets, blogs, and news reports focus on the current privacy crisis. Not a day goes by without data privacy problems rising to the top of Google News. Hackers regularly break into any large company and steal terabits of customer data. And web firms are regularly accused of using customer data improperly without customer consent or knowledge. Web firms all have privacy terms and are held strictly accountable for following their own agreed upon standards. Germany recently initiated a proceeding against Facebook linking antitrust to alleged privacy abuses. 

In the U.S., the Federal Trade Commission has been the entity most responsible for carrying out vigorous privacy investigations against web firms like Google or Facebook. But still, a strongly held view by privacy advocates is that the U.S. has lagged behind other countries when it comes to protecting privacy rights involving communications carriers. This is because of a gap in the law limiting the authority of the FTC for regulating common carriers and giving authority to the FCC.

At the end of March 2016, after several years of study and consideration, the FCC announced it will issue a notice of proposed rule making delivering new privacy rules for common carriers. Common carriers include mobile carriers, which is the concern of most privacy advocates, and indeed the devices that contain more privacy data that any other computer we use. The Telecommunications Act of 1996 gave the FCC the authority to issue regulations to protect the privacy of common carrier customers. In 1999, the FCC issued the first orders covering CPNI, or customer proprietary network information. The CPNI rules have been amended over the years.  There are not opt-in, opt-out requirements, only accessibility requirements. Carriers can use the CPNI for any use as long as the privacy of the data is maintained. CPNI has traditionally included information like phone numbers; also included is all information “made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”  

The idea that a mobile phone device connected by a carrier would contain so much very personal information was unimaginable 15 years ago. Mobile device information available to mobile carriers includes all the data typically passed by an Internet service provider, both encrypted and unencrypted. But data generated also includes GPS location, Wi-Fi access points, device motion, video, photos, texts, audio files, notes, and massive amounts of data generated by apps on the device. When the Verizon supercookie tracking issue arose last year, FCC Chairman Tom Wheeler committed to Congress to investigate the particular issue. Wheeler told Congress

“that ensuring the privacy and security of sensitive personal information about consumers' use of communications services is of utmost importance. As you suggest, we will be considering the extent to which our rules and policies relating to consumer privacy, data security, and transparency may be implicated.”

Now, a year later, the FCC is taking action. The FCC delivered what it called a fact sheet of the proposed rules that would be included in the NPRM. The NPRM will be presented for a vote at the full commission’s March 31, 2016, meeting, followed by a period for public comment. There are three basic permission categories addressed:

• Initial Sale: Data needed for providing and marketing broadband requires customer consent beyond creating the customer-broadband relationship.

• Opt-Out: Broadband providers must give the customer the ability to opt-out from allowing the provider to use the data to market other communications-related services and to share customer data with their affiliates that provide communications-related services.

• Opt-In: Broadband providers must receive the customer’s pro-active opt-in consent for all other uses of the customer’s data and for sharing the data

Carriers will be required to implement risk management practices for protecting information from hackers, beef up customer authentication, institute privacy training, appoint a senior manager for privacy issues, and take responsibility – which means liability – for the use and protection of the data by third parties. Also included are time limits for notifying customers of a data breach – 10 days – and notifying the FCC seven days from discovery. The FCC’s NPRM will not prohibit the mobile carriers from using customer data. However, it will give customers control over whether the data will be used by third parties. 

The FCC’s proposal imposing privacy requirements on mobile carriers is inevitable. Courts, agencies, and legislators around the globe are quickly closing in on all entities to protect privacy.  U.S. mobile carriers, and wired common carriers, will now be required by the FCC to implement very similar privacy policies that are imposed on web firms like Google, Facebook, WhatsApp, Snapchat, and Instagram.

See more of Barlow Keener's articles at TMCNet

This blog/Web site is made available by the contributing lawyers or law firm publisher solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and the blog/Web site publisher or any contributing lawyer. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.