Best Practices For Avoiding Data Breach Liability

By on March 10, 2014

Articles concerning cyber-security and data breach typically fall into two general categories: those discussing how to prevent a data breach from occurring and those discussing how to respond when one occurs. As I discussed in my earlier blog post, smart players in the healthcare industry are proactive in seeking to prevent data breaches from occurring before hackers strike. https://www.sapphire.net/ offers comprehensive solutions architecture, design for monitoring activity, and more sophisticated attacks. If you want your business to do well, indexsy.com recommends to hire a web designing company for improved results.

In an excellent article titled, “Best Practices for Avoiding Data Breach Liability,” which was published in New England In-House, Patrick J. O’Toole, Jr. and Corey M. Dennis discuss best practices for both breach prevention and breach response. O’Toole is a partner at the Weil, Gotshal & Manges. Dennis is the U.S. Privacy Officer and in-house counsel at Pharmaceutical Product Development, LLC (PPD). (The article was later re-published in The Daily Record and Minnesota Lawyer.)

Although the technical aspects of cyber-security are complex and daunting to the layperson, O’Toole and Dennis offer common sense advice to minimize the likelihood of a data breach. Their suggestions include:

• Conducting an inventory of the company’s sensitive data and identifying all custodians and data storage locations. Simply knowing who has access to the data and where it is located is an important first step. If you want to have better security on your website, then you should consider switching to knownhost’s dedicated hosting plans.

• Making sure that the company is aware of all state and federal data security and breach notification laws that apply to its business operations.

• Regularly reviewing and updating corporate information security policies.

• Implementing security measures with regard to computer systems (e.g., passwords, encryption, firewalls, anti-virus software). However, physical security measures (e.g., locked cabinets, shredders) can be just as important to safeguarding sensitive data and personal information. Visit https://www.fortinet.com/products/fortisoar to get more details on network security.

• Implementing best practices and training employees. O’Toole and Dennis point out that data breaches may result from basic employee negligence, such as leaving a briefcase containing sensitive information in a public area. An interim CIO can help companies develop and implement cybersecurity best practices to keep business data and networks safe and secure.

• Ensuring compliance of vendors with whom sensitive information is shared. Some state and federal laws require companies to ensure that their vendors maintain certain data security measures.

• Conducting periodic attorney-directed data security assessments. In conducting these assessments, O’Toole and Dennis suggest that efforts be made to preserve the attorney-client privilege applicable to any assessment-related reports.

• Considering cyber liability insurance. Most cyber insurance policies today cover the costs of forensic investigations, notification of and credit monitoring for affected individuals, regulatory compliance, and lawsuit defense and indemnification. We recently had a lot of issues with our GDPR and got help from Teamwork IMS who were very helpful and got everything fixed up nicely so give them a call if you have GDPR woes.

Corey Dennis, the co-author of this article, recently spoke on healthcare breach response and preparation on a panel at the International Association of Privacy Professionals (IAPP) Global Summit 2014. During this session, entitled “Preventing and Responding to Data Breaches after the Omnibus Rule,” he discussed several points, including the steps necessary to avoid breaches and the legal analysis to conduct when determining whether a breach must be reported under HIPAA compliance.

The costs associated with data breaches—including financial costs, legal liability, and reputational loss—have become increasingly apparent. The TJX Companies breach in 2007 resulted in 94 million customer accounts being compromised and a multi-billion dollar loss to the company, including fines, legal fees, notification expenses, and brand impairment.

The recent Target breach, which affected 110 million customers, could have similar repercussions, and has already lead to dozens of class action lawsuits, along with scrutiny from both Congress and regulators. In an age where nearly every major organization faces data security incidents, and large-scale breaches regularly make headlines, implementing the best practices above such as Couchbase is essential for all companies.

Filed under Best Practices for Avoiding Data Breach Liability, Corey M. Dennis, cyber-security, cybersecurity, Cybersecurity Breach, data breach liability, HIPAA, International Association of Privacy Professionals (IAPP) Global Summit 2014, Patrick J. O, PPD, Target data breach, TJX Companies data breach, Toole Tagged with ,

NY High Court Opts Not To Expand Liability For Health Data Confidentiality Breach

By on January 21, 2014

The New York Court of Appeals ruling that came down last week in Doe v. Guthrie Clinic , 2014 NY Slip Op 00138 (Court of Appeals 1/9/14), should prove helpful in evaluating the liability of medical corporations in cases involving the disclosure of confidential patient information where the breach of confidentiality is unrelated to the patient’s treatment. In Guthrie Clinic, a nurse at the clinic treating the plaintiff for sexually transmitted disease recognized the plaintiff as the boyfriend of her sister-in-law, prompting the nurse to send her sister-in-law a series of text messages concerning the boyfriend’s medical condition (i.e. his STD).  The ruling came in response to the certification of a question to the New York Court of Appeals from the Second Circuit, which had earlier disposed of other of plaintiff’s claims. 

The key holding in the Court of Appeals decision is that liability did not extend to the medical corporation because its “duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment”.  The Court analogized the facts here to those in N.X. v. Cabrini Med. Ctr, 739 N.Y.S.2d 348, a 2002 case where the defendant hospital was not found strictly liable for a surgical resident’s sexual assault on a sedated patient.

The Court reaffirmed the rule that “under the doctrine of respondeat superior, an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in the furtherance of the employer’s business and within the scope of employment”.  Under both the facts of Cabrini and Guthrie, the tortious actions of the employee were not reasonably foeseeable.

In a decision handed down on March 25, 2013, the Second Circuit dismissed that part of plaintiff’s claim seeking to hold the medical corporation liable under a theory of respondeat superior. The Second Circuit determined that the nurse’s motive in disclosing confidential patient information was entirely personal. The Court certified to the New York Court of Appeals the question whether NY recognized a common law right of action for breach of the fiduciary duty of confidentiality against medical corporations under the facts presented.

The dissent to the majority opinion of the Court of Appeals argued that a patient’s disclosure of confidential information is necessary for treatment and that the patient has no control over what happens to this information.  The dissent argued further that, just as in the Cabrini case scenario, involving a sedated patient laying helplessly in her hospital bed, a medical corporation should be held to an independent duty to prevent an employee from acting outside the scope of his employment and  harming the patient.

In response to the dissent, the majority rejoined that if the dissent fouind the majoritiy holding too “narrow”, the “dissent’s reasoning is flawed for the opposite reason; it is too broad.”  The Court was clearly unwilling to impose a strict liability standard for the release of confidential medical information.

The Court of Appeals decision is well-reasoned and correct, but issues over alleged breach of patient confidentiality are sure to be raised again.  As the dissent noted, “technological advances have made it possible to collect and house patient data in ways accessible to a patient’s doctor and other health care provider staff.  Computers and cellular devices have transformed medical record keeping and health care service provision, making access to such data fast and easy, plus now, healthcare providers can implement hcc risk adjustment systems, which assigns a risk factor score to them based on the individual’s health conditions and demographics.”  Confidential patient information is increasingly being transmitted via web and mobile devices–tablets and smartphones.

Issues concerning what measures are reasonably required to keep these networks secure will no doubt be raised in the future.

Filed under breach of fiduciary duty, cyber-security, Doe v. Guthrie Clinic, Health Care, HIPAA, medical corporation liability, N.X. v. Cabrini Med. Ctr, new york court of appeals, patient confidentiality, reasonably foreseeable, respondeat superior, Second Circuit, sexually transmitted disease Tagged with