An exterior view of the Anthem Health Insurance headquarters. About 80 million company records were accessed in one of the largest health care data breaches. The company was hit with $16 million in fines tied to HIPPA violations in security and notification requirements. Anthem paid far more to settle a class action lawsuit and actions by state attorneys general in different U.S. states. (Photo by Aaron P. Bernstein/Getty Images)
Navigating a breach response, managing the public relations crisis that often results, and eradicating hackers from the network takes a careful balance of requirements and a capable incident response team. But in highly regulated sectors like health care, that balance is complicated by the need to ensure compliance and avoid potential fines.
And yet, the same regulations that require swift reporting demand only modest details to be delivered to customers. That leaves health care organizations to decide for themselves how transparent they choose to be – and to manage the consequences of those decisions.
“The intent of the notification is to communicate to individuals that their data was compromised, but there is no obligation to provide any insight, or information, on how the breach occurred,” said Corinne Smith, a Health Insurance Portability and Accountability Act attorney and shareholder of Winstead PC. “Accordingly, you can expect to continue to see providers give fairly vague breach notifications.”
A history of falling short
Health care covered entities often face scrutiny for delayed notices, vague breach notifications, and overall response, despite specifics standards spelled out in HIPPA for what’s expected from providers in the wake of a breach. Each year, a consistent number of providers either intentionally or inadvertently omit some required information or provide notice far outside of compliance with the rule.
A September 2020 CynergisTek report found just 76% of health care providers conform with the HIPAA Security Rule, a statistic that has remained static for several years.
According to the Department of Health and Human Services, notices must be sent without undue delay and no later than 60 days after a breach is discovered. Notifications must include “the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the protected health information or to whom the disclosure was made; whether the protected health information was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated.”
The timing requirement is quite clear, said Smith, though there may be some reasons as to why some providers are failing to adhere to this portion of HIPAA.
“Sometimes providers take longer to report because they are still trying to determine the extent of the breach and which records were actually impacted,” she said. Also, “they may not have known that they were hacked for a period of time if their internal surveillance tools are deficient.”
In the latter case, the notification comes when they are made aware of the incident, which may have occurred months prior.
The recent notification from Wolfe Eye Clinic is a prime example of this type of delay. A ransomware attack was detected in February, but complexity of the attack hid the breach from investigators for several months.
Timing delays may also occur from forensics audits that don’t initially find a compromise protected health information, she added.
The Impact Advisors security team, which includes Vice President Mike Garzone and Senior Advisors Marc Johnson and Stephen Collins, confirmed that the timing requirement in HIPAA is a challenge for many providers, but the delays aren’t necessarily intentional. Investigations to find whether a health information breach actually occurred are time consuming, particularly with an ongoing timer. Impact Advisors added that most providers are attempting to provide as much accurate information as possible, which requires further due diligence “to gain a higher-level confidence and certainty before submission.”
Delays can also be attributed to legal reviews of the public messaging, which may also tack on crucial hours to the incident response timeline.
How much information needs to be made public?
In recent months, several breach notifications have highlighted the different routes providers take with breach notifications. One provider recently notified patients that their data was accessed and stolen more than nine months prior, but did not share the reason for the delay.
In the case of Alina Lodge, the treatment center notified patients of a 2020 incident caused by a ransomware attack targeting its vendor. The notice detailed the delayed notification and provided patients with access to credit monitoring and identity protection services.
These contrasting approaches to notification beg the question: How transparent must providers be to comply with HIPAA?
“It is important to point out that there is no requirement to explain the root cause of the breach or provide any details about it,” said Smith.
Instead, organizations are expected to provide, when possible, a brief description of the breach, a description of the types of information involved, the steps affected individuals should take to protect themselves from potential harm, and a brief description of what the covered entity is doing to investigate, mitigate harm, and prevent further breaches.
HIPAA requires covered entities and relevant business associates to notify the individuals who will likely be harmed by the loss or theft of their health information, which is “pretty much the extent of it,” Impact Advisors’ leadership noted. This notification must happen directly, typically through a letter or email. An organization may also publish a notice online, which typically happens when a covered entity has insufficient or out-of-date contact information.
Smith added that there’s also no requirement for an impacted entity to provide frequent notifications during a security incident and or investigation either. Only one notice is required once the investigation has concluded.
Of course, incidents may be too complex to explain to the impacted individuals. And while transparency is crucial, Impact Advisors’ leadership notes that breached organizations should not publicly estimate the impact of an event without the facts.
“We would never advise a client to speculate as to the nature or extent of a breach. What those affected care about most is the impact, so being transparent about that impact, and remediation or restoration efforts is important,” the leaders explained.
Indeed, transparency shines a light on flaws, human and otherwise, they said, which in ideal circumstances can drive mitigation and improvement. “Transparency allows visibility into the actual nature of the problem and subsequent trends. It will show the actual nature of the activity instead of a skewed representation due to hiding of the facts.”
Understanding requirements vs. reputational benefit
Although HIPAA doesn’t require providers to offer detailed notice, entities that swift may discover benefits in terms of reputation, brand, and public perception, explained Smith.
“In my opinion, the best breach notices are ones that are timely and offer the benefit of free credit monitoring so that the consumer doesn’t have to worry about personal fall-out from the breach,” she added. “I don’t think consumers are particularly swayed or impressed by a highly detailed breach explanation.”
When it comes to HIPAA compliance and the Office for Civil Rights investigations, the largest OCR settlements stem from health care providers that failed to demonstrate adequate risk assessments, as well as those without sufficient hardware and software controls.
Other major settlements stemmed from covered entities that failed to provide adequate breach notification.
For example, the largest OCR settlement was levied against Anthem for $16 million after a 2014 data breach. The OCR audit found the insurer failed to respond to a detected breach, in addition to insufficient technical controls over their systems. Those costs don’t include the $115 million Anthem paid to settle a consolidated class action lawsuit, or $48 million to settle actions by state attorneys general in different U.S. states.
For the Impact Advisors, many providers engage with their cyber insurance provider to assist with the breach response efforts. While recommended for provided legal and forensics services, entities should not solely rely on those services.
Further, entities should proactively engage with cyber insurers, many of which will provide free tabletop exercises.
“We have observed that insurers are becoming much more diligent in their efforts to gauge an organization’s maturity in preventing and responding to incidents before providing coverage,” explained Impact Advisors. “This is a good trend; however, many insurers are prescribing very specific technologies out of desperation. This trend is not so good.”
“Organizations should look at their security program holistically, not just the technical controls but governance and compliance goals, as well. Viewing the compliance department as partners is essential to a successful program,” they added. The enterprise business teams should also be involved with security discussions, as well as other relevant departments, which can assist in recovery processes in case of an incident.
To ensure compliance with HIPAA, providers should have written policies that outline legal requirements for breach notifications. Smith added that creating a “breach notification response team,” including legal counsel, the privacy and security officers, and the media team, can best support breach response efforts.
And when a breach occurs, providers must maintain documentation asserting all required notifications were sent or relevant documents that show a notice was not required by HIPAA, she added.
HIPAA-compliant reasons for not sending a notice include “low probability that the protected health information has been compromised by the impermissible use or disclosure; or the application of any other exceptions to the definition of ‘breach.’”
“The timeliness of a breach notification is not typically the first or only area of concern by the OCR,” said Smith. “They are more likely to levy fines against organizations that have more systemic failures. However, it is important to note that there have been occasions where the OCR levied a fine for a delay in notification.”
“OCR feels strongly that individuals need prompt notice of a breach of their unsecured PHI so that they can take action to help mitigate any potential harm caused by the breach,” she concluded.