Healthcare organizations contain a wealth of personal information, making them them the number one target for cyber breaches, according to a Houston-based attorney who specializes in healthcare privacy.
Lynn Sessions, a partner in BakerHostetler’s Houston office, has been working with healthcare providers for 23 years. In this edited interview with Insurance Journal, Sessions discusses the impact of cyber breaches in the sector.
IJ: Why is the healthcare field such a big target?
Sessions: Health care organizations have a gold mine of information. … They have names. They have social security numbers. They have health information. They have health insurance ID numbers. All of this can be monetized. We hear that Social Security numbers and credit card numbers are actually 50 cents on the black market. If you can get health insurance ID numbers, if you can get health information about those individuals, then fraudulent insurance claims can be made. That can be monetized to a much, much higher value.
IJ: Assuming these people are not just bored teenagers, who is conducting these breaches?
Sessions: We do have some teenagers that are hacking in just for the fun of it. We have teenagers who are being compensated by organized crime and others … located here within the United States. That’s actually not the most common.
What we also see is organized crime here in the United States hiring people or paying people who are already working in healthcare organizations … to bring this information outside the organization. Whether it’s in an electronic format or if it’s in a paper format, they get names and Social Security numbers, health insurance IDs and health information that they can then use on a volume basis. Some of that’s organized crime internally.
We also see … that the Chinese government is interested in American health information. … We don’t really know why. We hear from the FBI that they may be creating a dossier on a variety of different Americans to be used at a later date. …
We also hear that they’re using it for a little more altruistic reasons, which is, “Look at what’s happening in the United States … how they are doing things like treating diseases, curing diseases,” and then essentially stealing the intellectual property. …
Similarly, the Russian mob will also attack. They’re looking for things that are easily monetizable. They’re looking primarily for Social Security numbers with names that they can open up fraudulent credit cards, that they can file fraudulent tax returns. That’s where we kind of see the greatest … concentration of these types of attacks.
IJ: What happens when an organization has a breach?
Sessions: First they have to be able to detect the breach. Sometimes that can take a little while. We have seen perpetrators be within a healthcare organization’s network for over six months before they even discover it.
Once they detect it, that’s when the discovery date starts under HIPAA [Health Insurance Portability and Accountability Act]. The healthcare organization has no greater than 60 days in which they need to investigate, prepare notification letters, and send out notification letters under HIPAA.
Sixty days sounds like a long time. It goes by very, very quickly. … They discover it. They then begin an investigation. That could include interviewing employees. That could include a forensics investigation where you hire an outside forensics investigator. … [Forensics investigators] are very specialized in what they do. They can be worth their weight in gold if they can determine that you don’t actually have a breach.
You do the forensics investigation. At the same time, you have to determine who are the affected people that you may need to notify. Once that determination is made … you also have to prepare notification letters, look up addresses, which can actually sometimes be very tricky to do. … Then, just frankly, based on the number of people who may be affected, you have to order credit monitoring codes. You have to actually print the letters. You have to set up a call center. …
If you have a breach that’s over 500 people, you have to notify the Office for Civil Rights, which is the enforcer of HIPAA. …
Once you notify the Office for Civil Rights you will receive a phone call from them. They will confirm the information that you have put into their portal. They will then tell you that within 30 to 60 to 90 days you will receive a written inquiry, which starts the Office for Civil Rights investigation.
The OCR investigation can take years to do. We are still working on OCR investigations from breaches that happened back in 2012. … Legal fees are primarily the expenses that are incurred in the Office for Civil Rights investigation.
The OCR … will do three things. They will either dismiss the incident outright, which doesn’t happen very often. They will dismiss the incident with corrective action already having been taken by the covered entity. That’s one area we try to focus on with our clients, is to say, “Let’s get the corrective action in place, so that you can demonstrate to the OCR that you’ve already done everything they’re going to tell you need to do.”
The third one is they move towards resolution agreement. We’re seeing those resolution agreements as high as $1.5 million to $3.9 million, getting closer and closer to $5 million per breach. We are told that they may even go higher if the OCR feels like the covered entities aren’t really paying attention to what the requirements are.
Additionally, what could happen is the organization may get sued. We have seen class action lawsuits arise out of larger breaches, meaning those typically in the six-figure or seven-figure range.
IJ: How do you help clients to proactively either prevent or mitigate a breach?
Sessions: I wouldn’t tell you that every breach is preventable. I think that especially with the very sophisticated cyberattacks we’ve been seeing in the last couple of years in healthcare, people fall for phishing emails. I can’t say that it’s 100 percent preventable. What we do is we use HIPAA as the regulatory framework, as kind of the base minimum standard of care. This is what every healthcare organization has to have in place.
There are things like policies and procedures. There are things like, “Have you done what HIPAA calls a security risk analysis,” which is really a risk assessment of your security posture. “Do you know where all of your protected health information is, so that you know how to protect it?” “What kind of training and education do you have for your staff?” That’s very, very important. …
Making sure you have a culture of compliance really starts at the top. It starts with the CEO, the chief medical officer. All of those people have to be on board to protecting patient information. The organizations that do that well are the ones where the CEOs and the CMOs are really out front at the face of things like privacy and data security.
The above conversation is based on a video interview with Sessions at the PLUS Medical Professional Liability Symposium in Chicago in April 2016. A clip of that interview may be found here.
Was this article valuable?
Here are more articles you may enjoy.
Wall Street Pushes Back After Activists Escalate Protests 
Man Admits to Tracking Drivers, Programming Keys, Stealing and Reselling Vehicles 
Insurers Hike Rates as Extreme Storms Like Beryl Proliferate 
Surplus Lines Commercial Growth; Fla. Litigation Costs Reach New High in 2023 
