Cyber-Attack on a Hospital System Leads to HIPAA Breach for 4.5 Million Patients. Now Comes the BIG Expense: Regulatory and Legal Actions

Aug 20, 2014 | Blog

Increasingly, organizations face the threat of costly breaches of personal data arising from cyber-attacks. In an 8-K filing with the Securities and Exchange Commission (“SEC”) dated August 18, 2014, Community Health Systems (“CHS”) revealed that personal information of 4.5 million patients was improperly accessed in a cyber-attack. CHS, one of the largest health care providers in the United States, indicated that “its computer network was the target of an external, criminal cyber attack that . . . originating from China [that] used highly sophisticated malware and technology to attack the Company’s systems.” The breach, which may have resulted from exploitation of the “Heartbleed Bug,” a weakness in OpenSSL encryption used by many organizations, accessed patient’s names, birth dates, telephone numbers, and social security numbers. Importantly, despite the fact that the information gathered by the attacker in the breach was not medical in nature, it was nonetheless Protected Health Information pursuant to HIPAA and, as such, triggered reporting and other obligations such as notification of the patients and the media and providing credit monitoring to affected individuals.

CHS faces myriad potential regulatory and legal actions. As a public company, the SEC may investigate whether the CHS breach resulted from a failure to have or maintain information safeguards (we discussed the SEC’s new vigilance in cyber-security here). Similarly, the U.S. Department of Health and Human Services pursues violations of HIPAA such as data breaches like this one and recently settled a proceeding against a New York hospital for a data breach for $4.8 million. The Federal Trade Commission, in its litigation against Wyndham Worldwide, Inc., has shown that it intends to aggressively enforce obligations to safeguard consumers’ personal information, and healthcare consumers are not likely to be an exception. And one should not forget about the CHS shareholders because shareholders have become increasingly active in bringing derivative actions against public companies like Target and Wyndham for alleged insufficient attention to cyber-security obligations.

Audits and cyber-security enforcement actions are likely to increase, especially in healthcare. The Federal Bureau of Investigation issued a prescient warning to healthcare organizations in April, that “[t]he healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” Preparation for defense of regulatory actions and litigation, then, is most advisable. Please contact Kenneth N. Rashbaum for further information.