Information Security for Skilled Nursing Facilities: Why Hackers Want the “Fullz, Fullz” from At-Risk Populations
In November 2015, the Supreme Court heard oral arguments in Spokeo, Inc. v. Robins. The Court’s opinion in this matter may decide the question of when a victim (or suspected victim) of data breach may sue a company for losing data. Health care companies and service providers — given their unique position at the intersection of health and consumer information technology and regulation — will need to pay especially close attention to this ruling. This is particularly true for owners and operators of skilled nursing facilities, whose residents present a particularly attractive target of data hackers.
Even in the typical retail context, determining whether a victim or suspected victim has the right to sue a company for losing data is not as straightforward as it may seem. To sue in any court, a plaintiff must have “standing” — that is, a plaintiff must have suffered an injury-in-fact, there must be a causal connection between the injury and the defendant’s conduct, and there must be a likelihood that the injury will be redressed by a favorable decision (Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)).
Applying this test to data breaches is more than a little tricky. For example, if hackers steal your data, but never use it, have you been injured? What if there was a breach, but no proof that your data was actually extracted from the defendant’s server? What if the company pays for identity theft protection — are you still harmed? As you might imagine, courts that have grappled with these issues have reached divergent results. Spokeo may provide some clarity.
What is already clear, however, and certainly germane to owners and operators of skilled nursing facilities (SNFs), is that (1) the government can and will investigate and potentially fine an SNF for suffering a data breach under HIPAA, and (2) data breaches concerning vulnerable populations may be more likely to result in actual harm.
HIPAA and Regulatory Enforcement for Data Breaches
HIPAA breaches, especially breaches implicating 500 or more patient health records containing protected health information (PHI), can result in investigation and potential fines from the Office for Civil Rights (OCR) within the Department of Health & Human Services. The majority of these breaches do not involve hacking or some other cybersecurity event. Rather, most breaches still result from garden-variety employee incidents — for example, an employee loses a laptop containing PHI, or an employee intentionally forwards such information to a personal account.
But cybersecurity breaches remain a critical issue for this simple reason: a victim of a cybersecurity breach (the entity holding the information, not the individual patient or patients) must almost always report the breach to OCR.
To understand this, we must briefly analyze when a covered entity or business associate (basically any entity holding protected health information) must report the breach to OCR. Impermissible use or disclosure of unsecured PHI is presumed to require notification to OCR. That presumption may be rebutted if the victim performs a risk assessment examining (1) the nature and extent of PHI involved, (2) who received or accessed the PHI, (3) the likelihood that the PHI was viewed, and (4) the extent to which the risk to the data has been mitigated. If the risk assessment indicates a low probability that PHI has been compromised, then no need exists to report the breach to OCR. It is, however, critical that these findings are documented and preserved.
Applying this analysis to a lost employee laptop, disclosure may not be necessary in every case. For example, if the laptop’s hard drive was encrypted by a strong password with full-disk encryption, which prevents access to any information on the hard drive absent the password credentials, it is exceedingly unlikely that a third party could access the disk or the data. In fact, encryption is a safe harbor under HIPAA. Moreover, if the organization has the ability to remotely wipe a laptop’s hard drive, this remedial effort would further decrease the likelihood that the PHI could be accessed or viewed. Under these circumstances, an organization could very well conclude that no report is necessary, because the likelihood of harm is quite low.
By contrast, a cybersecurity breach, in which data is extracted remotely through malicious code on a server, almost always requires a report to OCR. If, for example, the hacker defeated the firewall and escalated user privileges (meaning that the hacker went from an ordinary user on the system to an administrative or IT-level user) to the point of extracting the data, then in all likelihood, the stolen data was decrypted or never encrypted at all. Indeed, most organizations do not, at present, encrypt data-at-rest (data “resting” on a server as opposed to data being transmitted), and it can be very challenging to determine how much data was stolen. Second, it is exceedingly difficult to determine the origin of hacking operations; thus, it will be difficult or impossible to pinpoint where the data went or identify the intentions of the hacker. And third, it is almost impossible to mitigate the breach — once the data is gone, it is gone.
So, while the risk that a cybersecurity breach will actually occur is lower than that of more conventional (and more easily preventable) breaches, the costs of cybersecurity breaches are higher. The good news is that organizations can drastically reduce the risk of being victimized by this type of attack with simple and straightforward initiatives designed to the make the organization a harder target for criminals. Most of these policies and practices can be implemented at little or no cost.
Remember that one of the first questions regulators will ask in response to a data breach event is whether the organization has a data breach plan, and whether the organization has practiced it. Counsel should be engaged to develop, implement, and “quarterback” data breach response plans, rehearsals, and implementations to ensure that the data breach response is reasonable under the circumstances and complies with all applicable contractual duties.
Elderly SNF Residents, the Problem of Vulnerable Populations, and the “Fullz, Fullz”
A second source of PHI-related liability is potential suits from the patients themselves. Of course, even in a retail context, determining whether a victim or suspected victim has the right to sue a company for losing data is not as straightforward as it may seem. HIPAA rules present an even greater challenge to patients, as individuals whose PHI is stolen cannot sue under HIPAA. Only the federal or state government can bring a HIPAA enforcement action. But individuals whose PHI is stolen can bring other actions based upon the Stark Law.
A potential plaintiff must demonstrate independent “standing.” That is, the plaintiff must have suffered an injury-in-fact, there must be a causal connection between the injury and the defendant’s conduct, and there must be a likelihood that the injury will be redressed by a favorable decision. (Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). This has been the threshold test for plaintiffs in every court in the United States for a very long time. Unfortunately (for owners and operators), residents of skilled nursing facilities may find it easier than usual to pass this test.
According to the FBI, PHI is up to 50 times more valuable than a credit card number on the black market. Why? Because PHI includes a bevy of information that allows criminals to impersonate their victim. PHI typically contains a name, address, social security number, date of birth, height, weight, insurance information, and sometimes even a driver’s license number —everything a hacker would need to impersonate an individual. Hackers refer to these records as the “fullz, fullz,” because they have a full and complete picture of a person’s identity.
With this information, criminals can open new credit card accounts, file taxes on a person’s behalf, collect social security benefits, and impersonate the person for the purposes of reimbursement of Medicare or Medicaid expenses, sometimes for services never performed. It is easy to cancel a credit card and obtain a new credit card number. It is far more difficult to remediate all of the potential avenues for theft emanating from a breach of PHI.
Elderly SNF residents are particularly vulnerable. These residents may not file taxes for many years and thus may be unaware that fraudulent returns are being filed on their behalf. From 2011 through November 2013, the IRS estimates that it stopped 14.6 million suspicious returns and protected over $50 billion in fraudulent refunds. Unquestionably, even more slipped through the IRS net. Further complicating the picture, residents of SNFs may be eligible for disability or other social security benefits, but may be unable to check their own credit histories and credit activity.
Given these considerations, SNF residents are likely targets for hackers motivated by profit. Depending on the circumstances, it also may be easier for these residents to show actual harm in the event of a breach.
To be clear, it is not economically feasible (and is likely impossible) to guard against every potential data breach. But SNFs can and should adopt pragmatic preventive measures and implement a comprehensive response plan to mitigate potential breaches, now, before a suspected breach has occurred. Similarly, SNF owners and operators should consider one of the many insurance products available to reduce the monetary impact of a potential data breach.