Updated: Dec 20, 2019
We've been writing about civil lawsuits and HIPAA for years; mostly to show that "Clapper" has been used to successfully defend healthcare organizations from additional liability. To be clear, HIPAA has no provision to support an individual making a breach claim. But we've also been posting how more cases have successfully demonstrated potential harm or risk of harm and that HIPAA has successfully been used as a standard to measure due diligence - and we've been advising our partner-clients that the OCR settlement isn't the REAL lawsuit to prepare for. We read this morning that Banner Health of Arizona has agreed to a liability cap up to $6M to settle claims brought forward by victims of their 2016 health information breach. This amount is in addition to any OCR settlement, which isn't final, and it's rare that a breach this large doesn't come with a Corrective Action Plan or Civil Monetary Penalty.
State Attorneys General, the Federal Trade Commission and class action lawsuits represent additional means of accountability for every Covered Entity and Business Associate. Additionally, I'll wager that legal counsel fees are another significant cost to plan that would drain a healthcare organization post-breach. Yes, most companies have insurance - but we've also read that some insurance companies have fought to pay out claims when the affected organization cannot demonstrate reasonable and appropriate safeguards were in place to prevent the breach. Frankly, I don't understand why more insurance companies don't ask for this proof before binding a policy.
2019 is drawing to an end. Phishing attacks have been the "go-to" method for criminals to penetrate information systems and cause breaches. Cyber attacks that exploit medical equipment vulnerabilities are on the rise and may become the next popular attack methodology as more companies conduct phishing training. It's no secret that some medical equipment vendors don't patch, don't update their base software platforms (e.g. still run Microsoft XP, etc.) or are vulnerable to Bluetooth exploits. It is no longer reasonable to hide from HIPAA, compliance, security or risk. Give us a call if you want help or if it's been a while since we've chatted.
Stay (HIPAA) safe,