Best Practices for Avoiding Costly Data Breaches

By Tom Zeno and Lindsay Holmes

Headlines about data breaches focus on companies such as Target, but the importance of the AvMed settlement should not be overlooked. AvMed recently paid approximately $3.5 million to end a class action lawsuit, even though some plaintiffs could not prove actual damage from the breach. Can your organization avoid such a fate?

In 2009, health insurer AvMed reported two missing laptops containing unencrypted personal information including as many as 1.2 million names and Social Security numbers. In October 2013, after years of litigation, AvMed agreed to settle by implementing data security measures that should have been in place. These include measures described in the Health Insurance Portability and Accountability Act (HIPAA) regulations at 45 CFR Parts 160 and 164.

The trendsetting aspect of the settlement requires AvMed to forfeit the “unjust enrichment” it has received over the years by not providing sufficient data security for its customers. Described as returning “premium overpayments,” AvMed will pay $10 for each year an affected customer paid insurance premiums. In addition, it will pay actual losses related to identity theft.

Following the AvMed settlement, companies that are tempted to improve the bottom line by delaying data security upgrades may face a hefty price tag in the event of a breach— regardless of whether an actual injury results. Plaintiffs’ litigation seeking the return of unjust enrichment will not be limited to health care, so investments in security measures will protect your company, as well as your patients and customers. In AvMed’s case, for instance, no breach would have occurred if the laptops had been encrypted because the information would have been unreadable. 

Federal and state data privacy laws likely will establish a standard of due care against which unjust enrichment claims will be filed and damages calculated. By following those standards now, your organization can avoid a host of problems. 

Federal Health Privacy and Security Laws

Under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities, such as a health care provider, and their business associates are responsible for implementing security measures to protect the integrity and privacy of patient information (45 CFR Parts 160 and103). Although these requirements are scalable, an organization’s size, complexity and capability cannot be used to avoid security.

At a minimum, covered entities and business associates are required to maintain HIPAA privacy and security policies and procedures, implement specified security measures, and train employees to safeguard protected health information. Unsecured PHI includes information “not rendered unusable, unreadable or indecipherable to unauthorized persons” through methods specified by the secretary of Health and Human Services (HHS).

Currently, the two acceptable methods of securing PHI are either encryption or proper destruction of the data. The penalty HHS imposed on the Hospice of North Idaho in December 2012 demonstrates the need for encryption. The hospice was charged the maximum penalty of $50,000 for a single violation when a laptop computer with the data of 441 patients was stolen, because the organization used an unencrypted laptop and failed to have policies or procedures addressing mobile device security, as required by HIPAA

Subsequently, HHS also announced its initiative, “Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.”

Additionally, the Federal Trade Commission has brought more than 30 cases against a variety of companies for violating consumers’ privacy rights or for data breaches. The FTC also polices financial institutions subject to the Gramm-Leach-Bliley Act, which distinctly resembles the HIPAA privacy and security rules by requiring protections such as a written security policy, risk assessment and access controls.

Although voluntary, the Framework for Improving Critical Infrastructure Cybersecurity, released in February 2014 by the National Institute of Standards and Technology, should not be overlooked. NIST describes the framework as “created through collaboration between industry and government” and “consist[ing] of standards, guidelines, and practices to promote the protection of critical infrastructure.”

NIST considers the framework “prioritized, flexible, repeatable and cost-effective.” It is likely that plaintiffs will try to hold companies to this standard.