Data Breach Negligence Claims Not Recognized in Pennsylvania

By Steven L. Caponi and Elizabeth A. Sloan

163751742In an important and well-reasoned 12-page decision, Judge Wettick of the Court of Common Pleas of Allegheny County refused to create a common law duty to protect and secure confidential information. The decision was issued in the matter of Dittman v. UPMC, which was filed on behalf of over 62,000 plaintiffs. Although not binding state-wide, Judge Wettick’s decision represents an important step in the development of privacy law in Pennsylvania.

The complaint was filed against the University of Pittsburg Medical Center (“UPMC”) after names, birthdates, social security numbers, confidential tax information, addresses, salaries, and bank account information pertaining to current and former employees was stolen from UPMC’s computer systems. The plaintiffs alleged that UPMC had a common law “duty to protect the private, highly sensitive, confidential and personal financial information, and the tax documents of plaintiffs and the members of the proposed class.” The complaint claimed that UPMC violated this duty when it failed to “exercise reasonable care to protect and secure the information.”

Advocating for more than simple recognition of a general duty, the Dittman plaintiffs sought court imposition of very specific and onerous duties on UMPC. Given the nature of the employee/employer relationship, the plaintiffs argued that UPMC’s duties included the obligation to design, maintain, and test “its security systems to ensure that [] the members of the proposed Classes personal and financial information … was adequately secured and protected.” It was further argued that “UPMC [] had a duty to implement processes that would detect a breach of its security systems in a timely manner.” Lastly, the plaintiffs argued that UPMC should be liable for its failure to meet industry standards in the face of a risk that was reasonably foreseeable.

Judge Wettick’s decision is important not only for its ultimate holding, finding no common law cause of action for data breaches, but also for the three lines of thought relied upon to support his conclusion. Specifically, Judge Wettick found: (1) Pennsylvania’s economic loss doctrine precludes a negligence cause of action for economic loss stemming from a data breach; (2) public policy considerations mitigated against the creation of an affirmative duty of care in connection with data breach cases; and (3) the Pennsylvania General Assembly’s prior actions evidenced an intent not to impose such a duty.

With regard to the economic loss doctrine, the court noted that the UPMC employees sustained only economic losses resulting from the improper actions of third-party bad actors. With this finding in hand, the court turned to the economic loss doctrine and affirmed that “no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.” Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009). Seeking to overcome the economic loss doctrine, the Dittmer plaintiffs invoked Pennsylvania Supreme Court case law, including Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa.2012), to suggest the court should impose a common law duty of care on those who maintain the confidential data of third parties. The court rejected this argument as an improper effort to undermine the economic loss doctrine.

The court went on, however, to consider the factors articulated in Seebold and concluded “the controlling factors are the consequences of imposing a duty upon the actor and the overall public interest in the proposed solution.” Recognizing the magnitude of the problem, the court noted that “data breaches are widespread … frequently occur because of sophisticated criminal activity of third persons … [and] [t]here is not a safe harbor for entities storing confidential information.” Judge Wettick further noted that the imposition of a new duty was unnecessary because entities who store confidential information already have a strong incentive to protect the data and avoid the disastrous operational consequences resulting from a breach.

Addressing the public policy component of Seebold, the court adopted a very practical approach.  Judge Wettick determined that the creation of a new duty would expose Pennsylvania courts to the “filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons”—a burden the courts are not equipped to handle. He further recognized that there is an absence of guidance as to what actions constitute reasonable care, and allowing juries to determine what constitutes reasonable care is not a “viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation.” Lastly, the court took notice of the fact that creation of a new cause of action would require companies to expend substantial resources defending lawsuits even though the entities “were victims of the same criminal activity as the plaintiffs.”

The court concluded its analysis into the propriety of creating a common law duty by noting that the Pennsylvania General Assembly extensively considered the issues surrounding data breaches when enacting the Breach of Personal Information Notification Act (the “Act”). 73 P.S. § 2301, et seq. (effective June 20, 2006). Notably, the Act did not establish a duty of care or a private cause of action. Rather, the Act created only a notification obligation in the event of a breach.  Had the General Assembly wished to impose a new duty, it had the opportunity to do so.  Exercising judicial restraint, Judge Wettick concluded “[i]t is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”

While Judge Wettick’s decision will surely not be the last word on liability stemming from data breach cases in Pennsylvania, it is highly instructive, well-reasoned, and likely to be followed by other Pennsylvania courts. A copy of the Judge Wettick’s decision can be obtained here.

Health Care Providers Responding to Ebola: HHS Issues Guidance Reminding Covered Entities that HIPAA Allows the Sharing of PHI in Emergencies

By Jennifer Daniels

163751742The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has issued guidance to remind HIPAA-covered entities of the ways in which they are permitted under HIPAA to share protected health information (“PHI”) in emergencies, including information about diagnoses of Ebola.  HHS emphasizes that the “minimum necessary rule” still applies to these disclosures (except in the case of a disclosure for treatment purposes), and covered entities are still responsible for using safeguards that comply with the HIPAA Security Standards. Below is a list of the types of disclosures discussed in the guidance:

  • Disclosures for Treatment: Under the HIPAA Privacy Rule, covered health care providers may share PHI with other health care providers for treatment purposes, including to coordinate and manage health care and related services by one or more patients. No authorization from the patient is necessary.
  • Disclosures to Public Health Authorities: Covered entities may disclose PHI without patient authorization to public health authorities, like the Centers of Disease Control and Prevention (“CDC”) or state or local health departments for the purpose of preventing or controlling disease, injury, or disability. So, for example, a covered entity could disclose PHI to the CDC on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola. Similarly, covered entities may disclose PHI at the direction of a public health authority to a foreign government agency that is acting in collaboration with the public health authority.
  • To a Person At Risk if Permitted under State Law: A covered entity may disclose PHI to a person at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
  • To Family and Friends Involved in Patient’s Care: If a patient’s family or friends are involved in a patient’s care, and the covered entity has obtained the individual’s agreement or can reasonably infer from the circumstances that  the individual does not object, then the covered entity may disclose to a family member or friend PHI that is directly relevant to that person’s involvement in the patient’s care.
  • Disaster Relief Organizations: A covered entity may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notice to family members of a person’s location or condition.
  • Imminent Danger: Covered health care providers may disclose PHI to anyone as necessary to prevent or lessen serious and imminent threat to the health and safety of a person or the public consistent with applicable law and the provider’s standards of ethical conduct.
  • Disclosures to the Media: Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information consistent with 45 CFR 164.510(a). In general, however, affirmative reporting to the media or the public about an identifiable patient, such as the details of test results or the patient’s condition, is not permitted without the patient’s authorization.

Health care providers should have policies and procedures in place that govern these types of disclosures under HIPAA so that such providers can act in an emergency in a manner that is necessary to protect public health but that is respectful of patient privacy.

Accretive Health Settles FTC Charges that it Failed to Adequately Protect Consumers’ Personal Information

By Jennifer Daniels

Accretive Health, Inc. (“Accretive”) is a service provider for hospital systems nationwide, providing services related to the hospital systems’ revenue cycle operations.  In providing these services, Accretive obtains sensitive health information about its customers’ patients.  Accretive suffered a security breach that resulted in the exposure of sensitive, personally identifiable information for about 23,000 individuals.  As is often the case, that breach resulted in a complaint from the government.

Of course, Accretive’s clients are Health Insurance Portability and Accountability Act (“HIPAA”)-covered entities and Accretive is a business associate under HIPAA.  But this investigation was not a HIPAA investigation, but rather the claims made by the Federal Trade Commission (“FTC”) were under the FTC Act.  HIPAA-covered entities and their business associates should keep in mind that HIPAA compliance is not their only regulatory obligation to maintain the security of personal information.

The FTC argued that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, which Accretive collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access.  The FTC claimed that, among other things, Accretive:

  • transported laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;
  • failed to adequately restrict access to, or copying of, personal information based on an employee’s need for information;
  • failed to ensure that employees removed information from their computers for which they no longer had a business need; and
  • used consumers’ personal information in training sessions with employees and failed to ensure that the information was removed from employee computers after the training.

Accretive’s failures resulted in a July 2011 incident in Minneapolis, Minnesota in which an Accretive laptop containing 600 files related to 23,000 patients was left in the locked passenger compartment of an employee’s car and was stolen.  The laptop included sensitive personal and health information, including names, dates of birth, billing information, diagnostic information, and social security numbers.  The user of the laptop had data that was not necessary to perform his job.

The FTC argued that the failure by Accretive to employ reasonable and appropriate measures to protect personal information from unauthorized access was an unfair act or practice in violation of Section 5(a) of the FTC Act.

On January 13, the FTC published a notice in the Federal Register that the FTC had accepted, subject to final approval, a consent order applicable to Accretive.  The Proposed Order requires Accretive to establish and maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information.  The program must contain administrative, technical and physical safeguards appropriate to Accretive’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects about consumers.  Specifically, the Proposed Order requires Accretive to:

  • designate an employee or employees to coordinate and be accountable for the information security program;
  • identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of information, and assess the sufficiency of any safeguards in place to control these risks;
  • design and implement reasonable safeguards to control the risks identified through risks assessment, and regularly test or monitor the effectiveness of the safeguards key controls, systems, and procedures;
  • develop and use reasonable steps to select and retains service providers capable of appropriately safeguarding personal information they receive from Accretive, and require service providers by contract to implement and maintain appropriate safeguards; and
  • evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Companies handling sensitive personal information are advised to review the types of security measures that the FTC includes in these types of consents because they give companies a checklist of the measures that the FTC will expect to be in place at companies handling similar types of data.

In Accretive’s case, the Proposed Order will be in place for 20 years, and the order requires Accretive to obtain an assessment and report every other year for 20 years from a qualified, objective, and independent third party professional certifying that its security program meets the requirements of the order.

The FTC published a description of the consent, which is subject to public comment for thirty days, after which the FTC will decide whether to make the proposed order final.

Breach by Dermatology Practice Results in Fine and Corrective Action Plan with HHS

By Jennifer Daniels

A dermatology practice called Adult & Pediatric Dermatology, P.C. (“Covered Entity”) reported a security breach as required by the Health Insurance Portability and Accountability Act (“HIPAA”) to the Department of Health and Human Services (“HHS”) on October 7, 2011.  The Covered Entity reported that an unencrypted thumb drive was stolen from the vehicle of a member of its workforce, and that the drive contained the protected health information (“PHI”) of approximately 2,200 individuals.  The thumb drive was never recovered.  The Covered Entity notified the impacted patients of the theft as required by applicable law, and provided notice to HHS in accordance with the breach notification rules under HIPAA / HITECH.

As is often the cast, HHS decided to investigate the Covered Entity following notice of the security breach.  The HHS investigation revealed:

  • The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security process until October 2012.
  • The Covered Entity did not fully comply with the requirements of the HIPAA breach notification rules because it did not have written policies and procedures regarding its breach notification process, nor did it train members of its workforce regarding the breach notice requirements until February 2012.
  • On September 14, 2011, the Covered Entity impermissibly disclosed the PHI of 2,200 individuals by permitting an unauthorized individual access to the PHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one of its workforce members.

The Covered Entity agreed to pay HHS $150,000 to resolve the investigation, and agreed to enter into and comply with a Corrective Action Plan.

Sometimes, the fine is not as significant as the ongoing cost of the corrective actions required by the regulators.  Here, the agreed upon Corrective Action Plan gives the Covered Entity one year to conduct a comprehensive risk analysis of its security risks and vulnerabilities that incorporates all of the Covered Entity’s electronic media and systems, and to develop a risk management plan to address and mitigate the risks and vulnerabilities identified.  The risk analysis, risk management plan, and any revised policies and procedures must be forwarded to the HHS Office of Civil Rights (“OCR”) for review and approval within 60 days of the date completed by the Covered Entity.  OCR will review the submission and may require revisions.  Upon approval by OCR, the Covered Entity must train its workforce on the revised policies and procedures within 30 calendar days.   During the time period covered by the Corrective Action Plan, if any workforce member fails to comply with the policies and procedures, the Covered Entity must investigate and report such noncompliance to OCR, including any actions taken by the Covered Entity to mitigate the resulting harm and to prevent recurrence.

Ultimately, the Covered Entity must provide OCR with an Implementation Report describing how the Covered Entity implemented its security management process, and an attestation from an officer of the Covered Entity that any revisions required by OCR were fully implemented and its workforce members were completely trained.  An uncured breach of the Corrective Action Plan can lead to the imposition of Civil Monetary Penalties.

HIPAA Compliance in the Cloud

By Jennifer Daniels

Word on the street is that Google and Amazon have quietly started to offer business associate agreements (“BAAs”) to their healthcare customers using their cloud services.  As you probably know, the Health Insurance Portability and Accountability Act (“HIPAA”) now requires that cloud providers comply with the HIPAA Security Rule if they process protected health information (“PHI”) on behalf of a covered entity, regardless of whether they sign a business associate agreement.  So, while it is nice that these large cloud providers are beginning to execute such agreements, it is not a surprise, and it is probably to their benefit, as they will be responsible directly for HIPAA violations anyway, and such contracts offer them the opportunity to limit their liability as much as possible under the law.

Cloud providers are notorious for trying to disclaim as much liability as possible related to the services they provide.  By entering into these business associate agreements, it gives them the opportunity to state, once again, exactly what they will be responsible for and what they will not.  Further, Google stated publicly that if customers have not entered into a BAA with Google, they must not store PHI using Google services.  I imagine their contracts reflect this idea—that they will not be responsible for protecting PHI about which they do not know.

Unless a company is a larger customer with a lot of leverage, most companies have little power to negotiate responsibility for losses with cloud service providers.  Companies need to try to negotiate what cloud providers are responsible for, including what liabilities and at what levels.  Companies should push to conduct their typical vendor audits with cloud providers.  Some cloud providers will give representations as to outside security certifications, such as the Federal Information Security Management Act (FISMA), the International Organization for Standardization (ISO), and the Statement on Standards for Attestation Engagements (SSAE), which is helpful.  Further, realize that cloud providers may be outsourcing your data to still other cloud service providers.  Companies should therefore make sure that contracts with cloud providers, including BAAs, contemplate liability for downstream losses caused by subcontractors.