Medical institutions, health data companies face growing data protection regulatory risks under HIPAA

The University of Texas MD Anderson Cancer Center should have known better, a federal administrative law judge admonished in imposing a $4.3 million fine last year. Entities that hold sensitive medical and insurance data would be wise to view Anderson’s story as a cautionary tale.

While the highly regarded cancer center in Houston recognized more than five years before it suffered a series of data breaches in 2012 and 2013 that it needed to encrypt its medical records, it “failed spectacularly to protect [the hospital’s] confidential data,” Administrative Law Judge Steven T. Kessel concluded in the US Department of Health and Human Services order in June.

One MD Anderson laptop stolen by thieves in one of those breaches held the unencrypted medical records of 30,000 people, but it wasn't even password-protected. The patient data exposed in the three MD Anderson breaches included Social Security numbers, and clinical information such as diagnoses, assessments, prognoses, and treatment regimes.

With medical and insurance records increasingly digital instead of paper, US entities that collect, store or process that data — hospitals and clinics, insurance companies and medical data companies — face growing regulatory risks and are paying record civil penalties to federal regulators if they fail to respond aggressively to the growing threat from cyber-attackers.

The US Department of Health and Human Services Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act (HIPAA), recorded a record $28.6 million in civil penalties in 2018 for privacy and data security violations.

But the last three years, from 2016 through 2018, marked a significant surge in HIPAA enforcement fines collected by federal regulators over previous years. More than two-thirds of the total $104 million in fines OCR has handed out since it began enforcing HIPAA privacy rules in 2008 came in the past three years, an analysis of HHS data by MLex shows.

The OCR’s 2018 total included the single largest individual HIPAA settlement in history, the $16 million that health insurer Anthem paid in October to settle HIPAA allegations around the largest data breach in US health care history. The Anthem settlement was nearly triple the previous record settlement by OCR.

Growth factors

While the Anthem settlement stands out for its size, it is part of a trend in which OCR is bringing more HIPAA enforcement actions, yet the average size of those individual settlements and judgments is also growing.

Medical institutions and companies paid HIPAA fines ranging from $100,000 to $16 million in 2018 for an array of data-protection gaffes, ranging from leaving unencrypted data in an unlocked truck to, in Anthem’s case, falling victim to a sophisticated spear phishing attack that may have been sponsored by the Chinese government.

The average financial penalty per case has also grown, reaching an average of $2.6 million in 2018. That was up from $970,000 in 2012, the first year when OCR had at least five enforcement actions.

A key factor driving the growth of enforcement is that “the hacking of electronic health record systems is growing in frequency,” Rachel Seeger, a spokeswoman for the HHS Office for Civil Rights, said in written responses to MLex questions.

OCR’s data shows that hacking incidents reported to the regulator that caused larger data breaches have nearly quadrupled in the past four years, growing from 39 reported incidents in 2014 to 149 in 2018.

One common element in OCR enforcement actions is that companies facing financial penalties often, like MD Anderson, have suffered multiple breaches or privacy violations after failing to take appropriate steps to protect patient data.

“OCR seeks to highlight HIPAA investigations involving systemic noncompliance with the HIPAA Rules or egregious violations of individuals’ privacy rights through settlements or the imposition of a civil money penalty,” Seeger said in the OCR written responses. “The size of a settlement with an entity depends on the facts and evidence gathered during an investigation.”

The OCR’s final enforcement action of 2018 was a $3 million settlement with Cottage Health, the operator of a string of hospitals in Southern California, which on two occasions allowed anyone accessing the company’s website to access patient records without requiring a username or password. Around 62,000 people had their health data exposed.

“As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server,” the OCR said in a statement in December.

Serial failures

In the Anthem breach, Chinese attackers spent months worming their way through the insurer’s computer network over a 14-month period in 2014 and 2015, before exfiltrating the personal information of 79 million people. The stolen data included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information, OCR said.

Anthem ultimately fell victim to eight different China-based “advanced persistent threats,” according to evidence introduced as part of litigation that led to a record $115 million settlement for a data breach class action in 2017.

Called "APTs" in security jargon, such attacks involve a hacker gaining unauthorized access to a private network and lurking undetected for a long time, with the capability to gain control and cause harm within the network. Evidence introduced in the case said Anthem executives ignored the advice of security managers.

Anthem’s potential violations of HIPAA privacy rules identified by OCR included a failure “to identify and respond to detections of the security incident,” and non-compliance with the “requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities,” leading to the breach.

Unlike the US Federal Trade Commission, which has a limited ability to obtain civil penalties for first-time offenders of data breach or privacy violations, the OCR can seek financial penalties for a first offense.

Ten of OCR’s 11 enforcement actions in 2018, which also included prominent institutions like Boston’s Brigham and Women's Hospital and Massachusetts General Hospital, ended in negotiated settlements.

However, if the OCR can’t reach a settlement, HIPAA rules include a process for a hearing and judgment before an HHS administrative law judge. As MD Anderson has, a defendant can appeal an ALJ decision to the Department’s Appeal Board. It can then appeal that decision to a federal appeals court.

Kessel, the HHS judge who heard the MD Anderson case, wasn't swayed by its argument that it should face a fine of no more than $100,000.

“It is easy to lose sight of what is really at issue here in the blizzard of arguments and counterarguments,” Kessel wrote in the order. “This case is in its present posture because Respondent recognized a problem, consisting of the vulnerability of its ePHI (electronic protected health information) to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism.”