AXEL.org

Breach

6 textbook examples of how NOT to respond to a Data Breach (Seriously guys?)

Yahoo: Do nothing and pray it goes away

Why are we surprised at this?! When Yahoo suffered a breach in 2013, it decided to just keep quiet about the 3 billion accounts that were compromised. Surely this would prove to be an effective strategy?

LOL.

The news broke a whole FOUR years later, in 2017, that 3 billion accounts had been hacked, which is more than the company claimed in 2016, which is the first time anyone heard anything about a data breach. We shouldn’t really be surprised, as “do nothing and pray it goes away” has been Yahoo’s MO for quite some time now.

FriendFinder Networks: Take days to respond and then downplay the incident in a vague press release

FriendFinder Networks is a company that you’d reeeally want to keep your data secure. It operates AdultFriendFinder, a “sex and swinger community,” and when it suffered a breach in 2016, the response was slow and the press release was tepid. The company affirmed that it “encourages users to change their passwords,” and appeared to put most of the onus on the users, commenting that it would contact users “to provide them with information and guidance on how they can protect themselves.” Seriously?

This press release came after days of speculation, which is actually forever if you are a user of an adult website waiting to find out if your data has been made public.

Equifax: Fail to patch software, take forever to disclose breach, let execs sell their shares

Equifax has one of the shadiest timelines of this group, and competition was stiff here!! After failing to patch a known vulnerability in March 2017 in widely used open source software Apache Struts, the data of 143 million US customers was potentially exposed in May 2017. Then on July 29th, days after the breach was discovered, executives sold off nearly $1.8M worth of Equifax shares. Hmm….this looks bad, but maybe there’s something we don’t know here. (Read: there’s not. It’s bad.)

Ticketmaster: Pretend it’s not happening

Ticketmaster was alerted to a possible breach in April of 2018, but decided to do its best impression of an ostrich and just pretend it wasn’t happening until it received apparently irrefutable (or un-buryable) evidence on June 23rd. Online bank Monzo released a statement shortly afterward saying it spotted the breach in April, but Ticketmaster said nah after an internal investigation revealed no evidence of any such breach.

I’m confused. Are we just letting companies investigate themselves now? This is not how any of this should work. Anywho….

Facebook: Deny deny deny

Facebook didn’t suffer a breach. Instead, it voluntarily gave away a treasure trove of user data and then informed us that we had all agreed to it in the terms and conditions. Whoops – we should have read those, but they’re just so boring, and no one can recall seeing a line item that said “we will give away all your data, suckers, and there’s nothing you can do about it LOL.” I think I would have remembered that…..

To its credit, Facebook did admit that its data had been “improperly shared,” but didn’t go so far as to call it a breach. They didn’t go so far as to call us suckers either, but that doesn’t mean it isn’t true.

Exactis: Leave us all in suspense as if our data’s safety was a plot point in a Mission Impossible movie

None of this is entertaining, you guys. Apparently there is a “database with pretty much every US citizen in it” floating around the internet, according to security experts. That seems pretty bad.

But even worse, the company associated with the breach has stayed silent for days, which is deeply bumming out 230 million of us who would kindly like to know if our personal information is available online.

The bottom line

Data breaches are inevitable. Attackers are targeting companies on a daily basis. But ignoring the fact that a data breach has occurred, failing to patch a known vulnerability, putting the onus of dealing with a breach on users, and – most obviously of all – selling off your stock when you have insider information of a breach doesn’t help anyone. Companies need to be honest when they think a breach has occurred, or they risk losing their customers’ trust. And as our data multiplied exponentially, trust is becoming scarce.

A HIPAA Breach

A HIPAA breach can cripple your medical practice

Over the last few months we have discussed HIPAA in very general terms.  I have tried to impart some of the basics of its security and privacy obligations upon each of you, while ignoring the rest of the Act.

Certainly, it is a massive undertaking to fully grasp all of HIPAAs ins-and-outs, and I will not ever try to bore you with the entire 5 sections of HIPAA.  So if you need to know about Insurance Portability, Tax Matters, Group Plans, or Revenue Offsets, please feel free to read the other four Titles.

Now that we have discussed what information is subject to HIPAA and who is responsible to keep and control electronic protected health information (ePHI), it’s a good time to learn what I like to call the “so what?” of HIPAA.  As I travel, meet, speak with, and interact with doctors, I am often presented with the “so what?” response.

Many doctors have told me: “Steve I understand that HIPAA exists, but we have always done it this way.  I think we are compliant.  Or we don’t know how to fully comply.”  And almost all those conversations end with “so what if we are not compliant, no one will even look at my little office to audit us.”

So, I realized that I needed to do a little more in this blog. Let’s discuss what a breach is, what you have to do if you are in breach and finally the “so what?”, namely what are the fines?

Let’s first learn what a “breach” is and is not.  A breach can be defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted, which compromises the security or privacy of the protected health information.

This means that if protected health information is in the possession of the wrong person and they can read it, a breach exists.  If you give Jan Smith’s records to Jane Smith, there is a breach.  Or if you fax medical records to (702) 555-1234, but the patient’s number was (712) 555-1234, you have a breach.

It’s these little mistakes that plague offices at times.  Most certainly, if your patient charts are on your laptop and it’s stolen, that’s a breach.  Should your server be accessed due to a hacking incident, or if you email a patient’s records to Kinkos as opposed to Dr. Kinko (the physician you intended to refer your patient to), you have a breach event.

Simply put, records must be seen only by those authorized to see them, and Covered Entities (CE) and Business Associates (BA) in possession of the records hold the responsibility to ensure no breaches take place.

“But what if my PHI is encrypted?” you ask. If the PHI is encrypted when the breach took place, you are probably covered.  The unauthorized use or disclosure of PHI is presumed to be a breach, unless there is a low probability that the information was compromised.

So when the PHI ends up in the wrong hands, but all they see is 0s and 1s due to your encryption, you may be protected. If you realize an email went to joesmith@mail.org as opposed to josmith@mail.org, but the email was sent with encryption, you are probably ok not reporting a breach.

However, a breach notification is necessary in all situations except those in which the CE demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. We will discuss what a “risk assessment” is in the next blog.

But today’s blog is addressing a breach.  So, assuming a reportable breach took place, now what?  Once a CE or BA is made aware of a possible breach, they must report the breach to the Department of Health & Human Services.

The report must be made without “unreasonable delay”.  While it is not 100% certain what constitutes an “unreasonable delay”, 60 days appears to be the outer limit for reporting, and waiting until the 60th day could be unreasonable as well.

Some state laws provide stricter reporting rules such as California’s mandate that you have 5 days to report a breach.   We will discuss the notice details in a later blog

And now the “So what?”  Here are the federal breach penalties.  But please take note that some states allow separate penalties.  Additionally, some states allow private causes of action against the CE by the harmed patients.  So these charts present only the tip of the iceberg in some cases.

Looking through the charts it is easy to see the risks you’re taking by not making sure your office is HIPAA compliant. In 2016, the Office for Civil Rights (OCR) collected over $20 million in fines, and in 2017 they have already disclosed over $17 million in fines collected.

Finally, don’t think that just because you are only an employee for a company, that you are immune from these fines and prison sentences. If an executive is aware of a violation, delegating the responsibility to someone else (the company’s “Security Officer”, perhaps) DOES NOT protect the executive from a personal penalty.

So now that you know what the ramifications are for a HIPAA breach, it is crucial that you take the necessary steps to ensure you don’t end up as one of OCR’s statistics.

Take the painful (but important) measures to be compliant now to save yourself a lot of stress, heartache, and money in the future. Otherwise the question you’ll be asking isn’t “so what?” but rather “does anyone know a good attorney?”