Healthcare organizations are perfect candidates for cyber-attacks, practices need to step-up and meet protection challenges.
A sequela of the virus that compromised your network may be a lawsuit from Edelson PC. Edelson PC is a recognized leader in plaintiffs' class and mass action litigation with a special emphasis on technology and privacy cases. Jay Edelson made national news last month by filing suit against MDLive, a telehealth provider focused on digital delivery of medical care. This Chicago-based attorney is smart and representative of a growing number of plaintiff lawyers focused on privacy issues.
To property understand litigation risks faced by healthcare providers, it is useful to learn from those on the other side. Recently, I had the opportunity to speak with Jay Edelson and his partner, Christopher Dore. Below are excerpts from my discussion with Edelson and Dore.
Sacopulos: Some people would argue that the general public's privacy expectations have lowered in recent years. Do you agree?
Edelson: No, I think that is wrong. I think there has been some major shift in privacy and how people view privacy in the last decade, starting from the Snowden revelations which really changed the debate to more recently Russian hacking of the election which made people extremely aware of the threats of hacking and then even more recently in the Trump administration, the gutting of FCC Rules which protected search histories. What we have been seeing is that states are really scrambling trying to step in where the federal government hasn't and are really pushing very positive consumer friendly privacy laws.
Sacopulos: Medical practices share patient information with third parties that are referred to as business associates under HIPAA. Are you aware of claims against medical providers for the negligent selecting or monitoring these business associates when a privacy breach occurs?
Edelson: I think that is going to be the next wave. So, the way that we think about it is almost from the eyes of a hacker. Where is the weak link? Often the weak link isn't with the institution itself, it may not be with the hospital. Although hospitals tend not to have very good cyber security, it may be someone down the chain. When a hospital chooses a vendor, including a law firm, and they are not doing their due diligence, they can easily have liability.
Sacopulos: What has been your experience with cyber insurance in litigation?
Edelson: My view is a lot of people are buying policies. Whether they are covered or not ends up being a huge debate. Often that can lead to secondary issues.
Dore: Part of the issue with cyber insurance is that it is limited in what it covers. For example, the type of litigation that we bring may not fall under that coverage. It is often put out there more often to respond to a data breach where you have all sorts of internal costs and outside vendors to help clean up the mess. Another issue is a lot of people are going out and buying these policies and then are not following the rules that are put upon them when buying the policies. For example, you must have "X" number of audits within a certain amount of period. Or you must do a certain type of testing. If they don't have a good agent or broker informing them of that, and they are not following those constraints coverage could be voided. When a breach does occur and the insurance company shows up and says you didn't follow any of our rules so you don't get any of our coverage, people are upset. I think that is a pretty rude awakening to a lot of people that think "I didn't think I had to actually step up my game since I had this special insurance." It works opposite of that.
Sacopulos: Physicians must provide privacy notices to their patients. Have you seen anyone use those privacy notices as a basis for a claim?
Edelson: Yes. HIPAA is not a great statute for a consumer because there is no private right of action. Meaning an individual can't sue. So, if there is some sort of data breach or misuse of data the theories that inspire plaintiffs before suing tend to be something of a breach of contract theory. "I thought I was paying for something and I got less. I went to you as a doctor and I gave you $500 and part of my expectation was that you would protect my medical records and you did not do that." Consumer facing statement saying we are going to protect your information tends to be very irrelevant to establishing a claim.
Sacopulos: What advice do you have for physicians?
Edelson: The first thing they need to understand it that they are a prime target for hackers. They've got such valuable information and hospitals tend to be really bad, and doctors' office are even worse, about protecting information. Even if someone puts in a type of fancy security system, individuals are going to places like Starbucks and accessing patient records on a free Wi-Fi that is a disaster.
Sadly, Edelson is correct. Healthcare providers are a prime target for cyber criminals. Many practices do have poor cyber hygiene. Business associates are rarely vetted for IT privacy and security. In short, the healthcare community as a whole needs to do a better job protecting patient data. Hopeful, Edelson's comments will serve as motivation for some to exercise greater caution in handling patient data.