Even though there seems to be a breach in the healthcare industry every week, there is still a lot to learn from these patient information breaches. For example, a recent breach at 21st Century Oncology demonstrates important issues concerning the current state of cyber security. First, it serves as a reminder that a single piece of data could be protected by a number of state and federal regulations. Second, that data retention safety must evolve and keep up with hackers.
The data breach disclosed this month by 21st Century may have involved more than 2 million people. On November 12, 2015, 21st Century discovered one of its employees stole patient names, Social Security numbers and dates of birth of current and former patients to file fraudulent claims for tax refunds. Multiple class action lawsuits were filed after 21st Century disclosed this breach on March 4, 2016. The latest Class Action Complaint was filed on March 18, 2016 in the District Court for the Middle District of Florida.
Multiple State and Federal Regulations May Protect the Same Piece Of Data
The breach and resulting litigation at 21st Century demonstrates the need for any entity that stores data (or its insurer) to be aware of the various state and federal regulations governing the data being stored. In addition to claims of HIPAA violations, the Class Action Complaint against 21st Century also seeks recovery under the Florida Deceptive and Unfair Trade Practices Act, the Gramm-Leach-Bliley Act and the Federal Trades Commission Act. Cyber security presents a unique threat because incidents can give rise to a number of different violations under state and federal law stemming from a single theft.
While Data Remains the Same, Methods to Steal Have Drastically Changed
In general, the Class Action Complaint filed in the latest lawsuit contains allegations that 21st Century failed to maintain an adequate data security system. More importantly, the Class Action Plaintiffs claim 21st Century failed to protect their sensitive medical and health information, which is required protection under the HIPAA Act passed by Congress in 1996.
The Class Action Complaint asserts that, as a health care provider, 21st Century maintained records for its patients including “the individual patients’ medical history, diagnosis codes, payment and billing records, test records, dates of service, and such health and treatment information necessary to process health insurance claims.” The lead class action plaintiff claimed 21st Century made promises to him and the other plaintiffs that their information would be protected under the requirements found in HIPAA.
In asserting that 21st Century violated HIPAA, the Class Action Complaint contains allegations that 21st Century specifically violated Title II of HIPPA, which creates rules for handling sensitive information. Paragraph 54 of the Class-Action Complaint alleges:
Among other such insufficiencies, Defendant either failed to implement, or inadequately implemented, information security policies or procedures that protected or otherwise controlled the storage of personal information on Defendant’s computers. In addition, Defendant’s prolonged data breach could have been prevented if Defendant had honored its obligations to its patients by implementing HIPAA mandated, industry standard policies and procedures for securing their personal information.
While HIPAA has not changed, the threat to healthcare information constantly changes. In addition to being responsible for complying with various state and federal regulations, 21st Century was also required to store information in accord with HIPAA. While most of the healthcare industry is familiar with HIPAA, data storage technology and hackers’ methods have drastically changed since it took effect in 1996. Consequently, it is important to analyze the numerous breaches in the healthcare industry even if you don’t store health information.