During 2017, the largest 10 HIPAA breaches reported affected 2.6 million people, according to the HIPAA Breach Reporting Tool. A total of 335 HIPAA breaches in 2017 affected 4.9 million people. While 4.9 million records are a mere drop in the bucket compared to the Equifax breach affecting 145.5 million records, the number is massive when one thinks about health care organizations allowing unauthorized hackers to take data that one has a high expectation that their information will be kept private. In 2016, by comparison, there were 327 HIPAA breaches affecting 16.6 million persons, and in 2015, there were 269 breaches where hackers gained access to 113 million people.
Hospitals have expended large portions of their budgets to create secure electronic medical records systems. However, the probability of patients having their very private medical records accessed and used by the "bad guys" seems to be relatively high. It is as though the dike is perforated with holes. The probability strong is that any hospital electronic medical record system will be hacked. The records that are taken can be used for years by the hackers to harm the individuals.
One healthcare class action lawsuit filed against Banner Health, in the U.S. District Court for Arizona, exemplifies just the beginning of problems for a hospital institution where the hackers gained access to the medical record system. The Banner Health breach affected 3.7 million individuals. The hackers were described in the lawsuit as a “financially motivated threat group.” Apparently, the hackers first gained access to the hospital's credit card system at their food cafeterias allowing the hackers to then access patient and health plan member records.
The hackers got into the secure system on June 17, 2016, and then, for two weeks, were undetected. On June 29, 2016, the breach was discovered while techs were investigating "unusual slowness on various servers." The hospital then hired an outside firm to investigate the problem. On July 13, 2016, Banner learned that the unidentified "hackers" gained access to patient information. Banner reported that the patient and health plan information may have included names, birthdates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and social security numbers. On August 3, 2016, Banner publically announced the breach and stated that breach notification letters would be sent on September 9, 2016.
In August 2016, a class action was filed against Banner Health that included seven causes of action including i) negligence, ii) negligence per se, iii) breach of contract, iv) breach of the implied covenant of good faith and fair dealing, v) breach of implied duty to perform with reasonable care, vi) unjust enrichment, and vii) violation of the Arizona Consumer Fraud Act. Banner Health thereafter filed a motion to dismiss the complaint for lack of standing and to strike the causes of action.
On December 20, 2017, the Court issued an order dismissing three of the Plaintiffs’ claims: i) breach of contract, ii) breach of the implied covenant of good faith and fair dealing, and iii) breach of the implied duty to perform. The court agreed with Banner Health's argument that because the hospital had a pre-existing legal duty to protect the information, it could not be held liable for a breach of contract for the same duty -- if there even was an agreement with the Plaintiffs to maintain the security of the information, which the Court questioned.
However, the Court found that the Plaintiffs had standing to sue as they met the "injury-in-fact" requirement as articulated in a Ninth Circuit HIPAA case that concluded that a plaintiff meets the "injury-in-fact" requirement by alleging an "an increased risk of identity theft due to the theft of his or her PII even without alleging that any actual identity theft has occurred." The Court also found that the four of the claims should not be dismissed: negligence, negligence per se, unjust enrichment, and violation of the Arizona Consumer Fraud Act.
A health care provider, after a major breach, faces numerous difficulties. These include the "soft" liabilities in form of the loss of trust by employees, patients, and, if a non-profit, donations and gifts. Patients, rightfully so, may in the future work to edit and limit what is placed in their medical records, fearful of the high likelihood that their private information could be made public. There is also the cost and hospital-ranking system "black mark" of civil, or possibly criminal, liabilities imposed by the U.S. Department of Health and Human Services (HHS) through its enforcement group, the Office of Civil Rights. In addition, state attorneys may bring their own causes of action against the institution resulting in further fines and impositions of costly oversight requirements like annual security audits.
Finally, there is the fact that a breach will most assuredly result in a class action lawsuit that could go on for years and cost the hospital extensive executive time and attention, examination of internal processes by aggressive plaintiff attorneys and investigators, and end with either a large settlement or payment of a judgment. While the Banner case moves forward into discovery, and then to trial, Anthem announced on June 23, 2017, that it settled a class action for $115 million for a 2015 breach exposing 80 million records. The settlement also required Anthem to devote a certain budgeted amount to information security over the next three years.
Healthcare providers may now begin to consider dramatically increasing their IT security budget before such as breach limit make accessing the hospital electronic patient records much more difficult, if not impossible to access by the bad guy hackers who are probing the hospital's network for gaps and weaknesses even at this moment.