An article in For the Record magazine entitled “Call In the Reinforcements” discussed what healthcare organizations must do to be prepared to respond in the event they suffer a data breach. Day Pitneys Jim Bowers and Eric Fader were quoted in the article, which was published in December 2016 but not discussed on this blog until now.
Jim noted that many organizations may not be able to immediately detect and respond to data breaches. “The health industry is subjected to a plethora of data breaches, but this is common across most industries,” he said. “Hacking is so sophisticated now that it may take months or perhaps years to find out someone has intruded on your information. Its an area where technology is trying to keep up but companies dont have it down to a science where they can know immediately.”
Eric pointed out that breach investigations can be time-consuming. “First, you have to get your arms around where the information went, to whom it went, and whether it is likely to be further disseminated,” he explained. “In some cases, upon investigation, you can stop the information that was initially considered a breach from getting further. Or, maybe there is no indication that it did get disseminated in a way that is potentially damaging.”
“You have to very quickly be able to assess whether a breach has occurred, get notification out, and plug the gaps,” Jim noted, adding that timely oversight and management position organizations well for what may hit them from the outside. Also, he pointed to the need for external expertise in pulling information together in a “forensic” manner. “Weve seen situations where companies trying to plug the breach have destroyed evidence. You want to make sure that in correcting the leakage issue that you dont destroy evidence that might be crucial to litigation later on,” Jim cautioned.
Jim observed that according to industry data, business associates of covered entities are involved in 30% of healthcare breaches, and he underscored the importance of closely managing and monitoring those relationships. He also pointed out that the majority of breaches are related to malicious activity or employee negligence, opening the door to external litigation.
Eric agreed, adding that a plaintiff will likely file a case first and ask questions later. While there is no private right of action under HIPAA, he explained that covered entities can be sued for such common-law or state-recognized causes of action as negligence or intentional infliction of emotional distress. “If you dont get your act together quickly, there are going to be all these other external pressures and people muddying the waters, which can easily distract from your core tasks,” Eric said.