Topics
More on Business Intelligence

Patients increasingly suing hospitals over data breaches

Fifty-eight lawsuits were filed in 2021, with 43 of them filed against healthcare organizations, the largest percentage among all industries.

Jeff Lagasse, Editor

Photo: Al David Sacks/Getty Images

Industries are increasingly being sued by consumers for data breaches, but the sector with the biggest litigation increase is healthcare, according to new findings from the law firm BakerHostetler.

In fact, healthcare comprises 23% of lawsuits due to data breaches. The next highest after that is business and professional services at 17%, followed by finance and insurance (15%), education (12%) and manufacturing (10%).

In all, 23 data breach incidents resulted in one or more lawsuits; 58 lawsuits were filed overall, with 43 of them filed against healthcare organizations.

Of all industries, healthcare also logged the highest initial ransom demand from hackers and bad actors, at more than $8.3 million. The average ransom that was actually paid was far lower, at about $876,000, but that was still the highest average amount paid across all industries. 

One of the few bright spots for the industry was in "days to acceptable restoration," or the amount of time it took to return to normal. For healthcare, it was 6.1 days, the second-fastest behind the energy and technology sector, at 4.6 days.

One concerning statistic showed the rise of ransomware, which has been a particular issue in healthcare. In 2020, ransomware accounted for about 20% of the cases handled by the law firm A year later, that number climbed to 35%.

Because of that, the firm recommended that companies accelerate their efforts to put effective mitigation measures in place. These include multi-factor authentication, endpoint detection and response tools, patch management protocols and robust backup plans.

Several ransomware groups threatened to cut off communications, delete decryption keys and immediately publish data if companies engaged third-party ransom negotiators or law enforcement. Some threat actors have even asked companies to identify the specific employee at the company who is communicating with them. They then call the employee and demand that they read back the most recent chat as proof that a third-party ransom negotiator is not involved. 

Engaging advisors with the most up-to-date information about threat actors' tactics is key to avoiding pitfalls, according to the firm.

WHAT'S THE IMPACT

What was once rare has become an unfortunately common tactic threat actors use to exert pressure on victims to pay ransom demands. Claiming to have stolen data gives these actors another piece of leverage by which they may obtain a ransom payment. Even a victim that doesn't need a decryption key might still pay to prevent the public release of data.

In the firm's 2021 ransomware matters, threat actors claimed to have stolen data 82% of the time. This is compared to 70% of the time in 2020, a continuation of a trend that began that year. In healthcare ransomware matters, the percentage is even higher: 89% of the time, threat actors claim to have stolen data, as compared to 79% in 2020.

"Encryption and good data hygiene are critical to avoiding theft of sensitive data that could lead to notification obligations, regulatory scrutiny, or even lawsuits," authors wrote. "Having and following data retention policies, minimizing storage of documents with personal or proprietary information on file servers (common targets for threat actors looking for large amounts of data to steal), and avoiding use of personal information, such as Social Security numbers, where possible, are all steps that organizations can take to mitigate the risk and potential impact of data exfiltration."

BakerHostetler identified a number of red flags that could trigger an investigation from the Office of Civil Rights, including taking more than 30 days to provide patients with requested protected health information. Other red flags include lack of response to multiple access requests from the same patient; incomplete records provided regarding patient access requests; and to provide records to a patient's personal representative.

EFFECTS ON MEDICARE REIMBURSEMENT

In a departure from years past, in 2021 the Centers for Medicare and Medicaid Services began issuing blanket denials to Extraordinary Circumstances Exceptions requests made by healthcare providers seeking extensions for CMS filing deadlines due to ransomware attacks that limited access to their systems and data. 

The reason cited by CMS for these denials is that the providers "could have feasibly received information describing how to prevent the occurrence of the cyberattack and did not address the risks in a complete and timely fashion." 

According to the firm, CMS never asked the providers whether they were in possession of such information. 

"These denials could result in a significant loss of Medicare reimbursement to healthcare providers that are already reeling from the toll the COVID-19 pandemic has taken on their finances," according to the report. "This new trend emphasizes the need for healthcare providers to quickly identify important, upcoming regulatory filing deadlines if there is a concern that a data security incident will prevent them from accessing the required information for the filing."

THE LARGER TREND

Unlike many state breach notification laws that are triggered by the acquisition of personal information, notification obligations under HIPAA are triggered by access to or acquisition of protected health information. In addition, per guidance from the Department of Health and Human Services, data deletion or loss of data integrity due to a ransomware attack can also create notice obligations under HIPAA.

A January 2021 amendment to the Health Information Technology for Economic and Clinical Health Act essentially created a "HIPAA Safe Harbor" for organizations that have implemented "recognized security practices." 

Examples of recognized security practices that would be deemed acceptable defenses under this law include the methodologies set forth in the National Institute of Standards and Technology Act and the Cybersecurity Act of 2015.

The amendment requires that OCR consider whether an entity had "recognized security practices" in place a year prior to the incident as part of any determination regarding fines, audit results or other remedies.

While the HITECH amendment doesn't provide entities with total immunity from HIPAA enforcement, it does provide organizations with substantial incentives to establish or improve their cybersecurity programs. It also provides a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach or security incident.

According to BakerHostetler, healthcare organizations looking to build their HIPAA-safe harbor defensibility should start by assessing whether their current cybersecurity program and processes fit the definition of "recognized security practices" defined in the HITECH amendment. If needed, they should consider additional investments to further mature their information security capabilities so they can rely on this safe harbor.
 

Twitter: @JELagasse
Email the writer: jeff.lagasse@himssmedia.com