09 May Managing the nightmare of identity theft
Madison, Wis. – The nightmare of managing liability in identity theft cases was spelled out during a late session of WTN Media’s Digital Healthcare Conference, and healthcare providers got a real sense of what a sleepless period it would be.
Using a hypothetical case of identity theft from an orthopedic hospital, attorneys from Michael Best & Friedrich demonstrated how much trouble healthcare organizations can find themselves in even when they take steps to prevent security breaches that result in lost, stolen, or damaged medical records.
Prior to the mock trial, members of the audience learned that there are plenty of real life cases to draw lessons from, too. Attorney Paul Benson, a partner with Michael Best & Friedrich, cited a recent World Privacy Forum survey that identified more than 120 reported data breaches in American companies, resulting in $53 million in fines, since February of 2005. One company, ChoicePoint, was fined $10 million for its data breach.
Fellow Michael Best partner John C. Thomure, the defendant’s attorney, joined Benson, the prosecuting attorney, in a debate. The facts of the case were not in dispute, but the interpretation of those facts was.
In an attempt to protect patient information on electronic and paper records, the defendant, Bad Break Orthopedic Hospital, took steps to implement both physical and technical safeguards and train employees on data security. Nevertheless, the hospital’s data security was breached by a disgruntled employee who stole a laptop from the hospital and gained unauthorized access to its computer system. While a simple password would have prevented a breach on the laptop, the employee breached technical security measures and [appropriated] sensitive patient information such as names, Social Security numbers, dates of birth, diagnoses, and payment information.
The owner of the laptop immediately notified the hospital of both the theft and the security breach, but in its anxiety to find the perpetrator and recover the compromised records, the hospital did not notify affected patients for more than three weeks after the theft. Not long afterward, patients began to report incidents of possible identity theft; credit cards were opened in their names, and collectors were calling. A class action lawsuit ensued, and claimed the hospital had negligently put patients at risk of identity theft.
The hospital further enraged patients and their attorneys during the discovery process when, despite the existence of a record retention policy and related employee training, the organization responded slowly to requests, released information on a piecemeal basis, and offered vague explanations as to how relevant files were found. The plaintiffs claimed discovery misconduct.
During his opening statement, Benson blasted the hospital for failing to invest in encryption, which he described as a best practice. He also accused the hospital of trying to cover up mistakes during its internal investigation, and of violating the Health Insurance Portability and Accountability Act (HIPAA) and state law by not informing patients of the breach in a more timely fashion. He cited several organizations that immediately notified identity theft victims so they could take steps to protect themselves financially, and another that acted responsibly by setting up e-mail accounts to keep victims apprised of subsequent events.
Benson, who focused on the plaintiff’s financial losses, sought $4 million in punitive damages. “If you don’t teach Bad Break a lesson here, and companies like it in these cases, when will these problems end?” he asked.
Thomure disputed the contention that a HIPAA violation occurred, and characterized Benson’s presentation as an example of how fear is used to compel liability. He said the hospital met the test of reason by instituting policies and safeguards, thoroughly training workers in its comprehensive record retention policies, immediately conducting an internal investigation, hiring an auditor to check HIPAA compliance, and notifying patients after efforts to catch the perpetrator failed.
What would be unreasonable, Thomure said, was for his clients to have no policies or procedures, no training, no internal investigation, and no audit. He said the prosecution is trying to apply the strictest standard for negligence when the ordinary standard should apply, and said if the strict standard was applied, credit card companies would shift costs to hospitals when they already are in a position to cover these losses. With healthcare costs already rising at three times the rate of inflation, a strict standard could make a bad situation worse, he said.
“I assure you the cost of healthcare will go up substantially because the plaintiff wants a perfect system,” Thomure stated as part of his remarks on behalf of Bad Break.
Following the presentation, the merits of each case were evaluated by a panel that included Steven Biskupic, U.S. Attorney for the Eastern District of Wisconsin; Lorna Granger, chief legal officer and chief compliance officer for ProHealth Care; and Paul Verberne, legal counsel for HSA Bank. Only Biskupic sided with the prosecution. He noted that all criminal culpability centers on knowledge of a bad act. “If you know people’s credit card bills are being run up, and you don’t do anything about it, you’re going to have some explaining to do,” he said.
Verberne, however, noted that HIPAA doesn’t require best practices, but that hospitals act reasonably. “This standard is not as rigorous as what the banking industry regularly has to face,” he said.
Granger pointed out that the most sensitive information lost was not financial, but medical, which is what HIPAA is designed to protect. She said real damage would occur if a person who is HIV positive or has a sexually transmitted disease had personal medical records fall into the hands of an employer. If the strictest standard is imposed for financial losses, Granger said the cost of healthcare would rise again. “This is not the right case to allow that to happen,” she stated.