By Thomas Zeno and Lindsay Holmes
AvMed recently paid $3.5 million to settle a data breach lawsuit in which class members could not prove actual damage. Will your organization be next? Plaintiffs' lawyers, as well as federal and state governments, are likely to file "unjust enrichment" claims against organizations that do not ensure safe transmission and storage of personal data. Whether your organization handles financial or medical data, the price of IT compliance may be high, but the price of non-compliance is even higher.
In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Class action litigation began in 2010. Based on the October 2013 settlement agreement, AvMed is required to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades, and updates to security policies and procedures, all of which are set out in Health Insurance Portability and Accountability Act (HIPAA) regulations (45 CFR § 164).
The striking part of the settlement requires that AvMed also forfeit the "unjust enrichment" it has received over the years by not spending sufficiently for the data security it should have provided. AvMed will reimburse "premium overpayments" of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.
The AvMed settlement proves that now is the time to implement data security measures that will protect your company, your patients, and your customers in the future. Although experts predict that data losses are likely inevitable, damage to your organization does not have to occur. Lost data does not automatically become a data breach. In AvMed's case, for instance, encryption would have rendered the stolen information unreadable and no breach would have occurred.
By implementing data security measures already suggested or required, your organization can avoid a host of problems. Whether your organization handles personal information now, or may do so in the future, federal and state laws are likely to set the standard by which unjust enrichment claims will be made and damages calculated. Below are examples of what is expected.
Although healthcare security requirements are scalable, (78 FR 5589 January 25, 2013) covered entities (45 CFR § 160.103) defines a covered entity as a health plan, health care clearinghouse, or health care provider.) and their business associates (Id. Examples of business associates of covered entities are consulting firms, e-prescribing gateways, and outside legal counsel) remain responsible for implementing security measures to protect the integrity and privacy of patient data despite an organization's size, complexity, and capability. At a minimum, covered entities and business associates are required to maintain HIPAA privacy and security policies and procedures, implement specified security measures, and train employees on protecting (PHI) protected health information (45 CFR § 160.103).
The Breach Notification Rule requires that a covered entity "notify each individual whose unsecured [PHI] has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach" within 60 days of discovering the breach (45 CFR § 164.404(a)(1)).
Breaches involving more than 500 individuals require the covered entity to notify prominent media outlets serving the area. Unsecured PHI includes information "not rendered unusable, unreadable, or indecipherable to unauthorized persons" through methods specified by the Secretary of Health and Human Services ("HHS"). The covered entity is also required to notify HHS in the event of a breach. HHS may impose civil monetary penalties up to $50,000 per violation on the covered entity or the business associate. The Department of Justice ("DOJ") also may bring criminal charges in some instances.
Currently the two acceptable methods of securing PHI are encryption or proper destruction of the data. HHS proved its resolve to enforce the encryption standard when it announced the penalty imposed upon the Hospice of North Idaho in December 2012. Even though the theft of a laptop computer with the data of 441 patients had been reported to it in 2010, HHS did not tolerate the entity's use of an unencrypted laptop and the entity's failure to have policies or procedures addressing mobile device security as required by HIPAA. Accordingly, HHS imposed what amounted to the maximum penalty of $50,000 for a single violation. In announcing the penalty, HHS said, "Encryption is an easy method for making lost information unusable, unreadable and undecipherable." At the same time, HHS announced its initiative: Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. HHS provides more information on this initiative at www.HealthIT.gov/mobiledevices.
The Federal Trade Commission ("FTC") has also been involved in data breach enforcement by alleging "unfair and deceptive trade practices" against companies that did not properly protect consumer information leading to identity theft. As of 2011, the FTC had brought more than 30 cases against a range of companies for violations of consumers' privacy rights or for data breaches. A number of the settlement agreements require periodic audits during the next 20 years, implementation of security programs, and civil monetary penalties.
The FTC also polices "financial institutions" subject to the Gramm-Leach-Bliley Act. Businesses that significantly engage in providing financial products and services are required to protect the security and confidentiality of such information. This Act distinctly resembles the HIPAA Privacy and Security Rules, by requiring protections such as a written security policy, risk assessment, access controls, etc.
Currently, forty-six states as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data security breach laws, some of which are broad enough to span multiple industries. For example, Massachusetts state law requires notification by "person or agency that maintains or stores…data that includes personal information about a resident of the commonwealth" when it "knows or has reason to know of a breach of security or" the information "was acquired or used by an unauthorized person or for an unauthorized purpose." Personal information, as defined by Massachusetts law, can be the first initial and last name of an individual coupled with a social security number, driver's license number, or credit card number. (M.G.L. ch.93H §1-§3) Based on the broad definition of personal information, this and other state laws should prompt all companies to properly protect customer information.
It is no surprise that companies are feeling the financial pinch of upgrading data security systems to ensure that they do not fall victim to hackers, thieves, and even unintentional errors resulting in lost protected information. Some organizations have reasoned that the time and the money necessary to implement data security measures are not worth it. AvMed would likely disagree.
The plaintiffs' litigation is not unique to the healthcare industry. Although proving the causal link between the breach of consumer information and an injury can be difficult, the theory in AvMed will make damages easier to determine. The standard of due care is likely to be established by federal and state data privacy laws. Going forward, an organization's failure to guard information properly may carry a hefty price tag regardless of whether an actual injury resulted. The money an organization thinks it is saving may, in fact, be nothing more than "unjust enrichment."
Thomas E. Zeno,
a former assistant US Attorney for the District of Columbia, is now Of
Counsel to Squire Sanders. An AUSA for more than 25 years, Tom
investigated and prosecuted economic crimes involving health care,
financial institutions, credit cards, computers, identity theft, and
copyrighted materials. Tom practices in the firm's white collar,
investigations, and enforcement group, as well as its healthcare group. Lindsay Holmes, a Healthcare Fellow in Squire Sanders' Washington DC office, focuses her practice on healthcare matters.