Approximately 112 million Americans or nearly one third of the United States population have been affected by breaches of so called “protected health information” (“PHI”) in 2015 alone.  During the last year, almost 100 million records were hacked from the network servers of just three organizations: Excellus Health Plan, Inc. with 10 million individuals affected, Premera Blue Cross with 11 million individuals affected and Anthem, Inc. Affiliated Covered Entity with a record 78.8 million individuals affected.  Based on the information reported in the United States Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) database, which publishes the breaches affecting 500 or more individuals, the majority of breaches or approximately 38% were due to “unauthorized access/disclosure;” however in the top ten breaches (i.e. affecting the most individuals) 90% were due to a “hacking/IT incident.” During the last three years 42.5% of all data breaches were attributable to the healthcare industry.  In the last two years an alarming 91% of healthcare companies reported a data breach.  Almost half of the breaches have been found to be criminal in nature.

In a report published by the Ponemon Institute in May 2015 examining privacy and security data for healthcare covered entities and business associates, criminal attacks were identified as the main cause of healthcare data breaches and such attacks have grown over 125% during the last five years.  “Spear phishing” accounts for 88% of these criminal attacks and malware for 78% of all criminal activities.  So what is spear phishing?  It is not a recreational activity.  Spear phishing is a tool cybercriminals use to gain unauthorized access to sensitive information or to install malware on the targeted victim’s computer. This is accomplished by sending emails targeting select groups of people with a common bond, e.g. they work at the same company.  The e-mails appear to be legitimate, i.e. from a source the victim would know or normally get e-mails from (to appear legitimate the criminals sometimes hack into the organization’s computer network).  Victims are asked to click on a hyper link inside the e-mail that bring them to a phony, but genuine looking website, where they are prompted to provide passwords, user IDs, access codes, etc.  Once criminals have this access information, they are able to obtain the sensitive data they are seeking. Spear phishing can also trick victims into downloading malicious codes or malware by clicking on a link embedded in the e-mail. The second cause of health care data breaches was lost or stolen computers; representing 43% of all data breaches. Notwithstanding the fact that criminal activity is now the main cause of data breaches in the healthcare industry, the majority of healthcare security personnel (70%) were more worried about employee negligence than cyberattacks (40%).  Generally breaches are discovered as a result of an audit (69%), notification from an employee (44%) or a patient complaint (30%).  Given the major breaches cited above, the healthcare industry is not responding aggressively enough to thwart these attacks.  Why not?

Perhaps because the federal law relating to the security of an individual’s PHI is too lax. The HIPAA Security Rule sets forth national standards to protect individuals’ electronic personal health information (“ePHI”) that is created, received, used, or maintained by a “Covered Entity” i.e. health plans, health care clearinghouses, and health care providers or their respective business associates who transmit health information in electronic form.  The Security Rule requires certain administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.  Within the Security Rule there are both “required” implementation specifications and “addressable” specifications.  While Covered Entities are mandated to take certain steps to protect ePHI, there is flexibility built in with the addressable specifications.  Unfortunately the public is dependent on the Covered Entity to ensure its ePHI is safe and is unaware of what measures the Covered Entity has taken to meet the implementation specifications in the Security Rule.  While HIPAA compliance appears to be an issue being addressed in the health care sector, more must be done to bolster the security requirements intended to protect ePHI in the current environment.

The current penalties for HIPAA breaches are not a strong enough deterrent to catalyze change.  Although OCR can impose fines on organizations for unauthorized disclosures of PHI and failing to protect the public against loss, theft and disclosure of PHI, the penalties are ineffective given the increasing number and extent of recent breaches.  While OCR has imposed several hefty fines this past year, in 2014 OCR received nearly 18,000 complaints yet only six formal actions were taken.  Is the decision to take action dependent upon who is affected by the breach?  As for the Anthem breach, penalties are laughable given the magnitude of the breach. Anthem’s annual net income for the year ending December 31, 2014 was $2.5 billion. Is a maximum fine of $1.5 million really a deterrent? Obviously it is barely a slap on the wrist.  Who is protecting the average American? Clearly, the current HIPAA Security Rule is not enough to protect our electronic PHI (“e-PHI”) in the cyber age.

References are presented in the order in which they originally appear in the article.

Protected health information is personally identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232(g) (1974), records described at 20 U.S.C. 1232(g)(a)(4)(B)(iv)(1974) and employment records held by a covered entity in its role as employer, http://www.NCBI.NLM.NIH.gov/books/NBK9576 (last visited March 18, 2016).

Dan Munro, Data Breaches In Healthcare Totaled Over 112 Million Records In 2015, Forbes (Dec. 31, 2015), http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#c2ef4fb7fd5a (last visited March 18, 2016).

Stephanie Tayengco, Why are healthcare data breaches so common? Becker’s Hospital Review (Sept. 17, 2015), http://www.beckershospitalreview.com/healthcare-information-technology/why-are-healthcare-data-breaches-so-common (last visited March 18, 2016).

Shannon Pettypiece, Rising Cyber Attacks Costing Health System $6 Billion Annually. Bloomberg Business (May 7, 2015), http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually.

Erin McCann, Criminal Attacks Become No. 1 Cause of Data Breaches, Healthcare IT news (May 7, 2015),

http://www.healthcareitnews.com/news/criminal-attacks-healthcare-become-no-1-cause-data-breaches (last visited March 18, 2016).

Federal Bureau of Investigation. Spear Phishers Angling to Steal Your Financial Info, April 1, 2009, https://www.fbi.gov/news/stories/2009/april/spearphishing_040109 (last visited March 18, 2016).

CFR §160.103

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals (Last visited March 18, 2016).

Paul Bedard. Brookings: Healthcare hacks up1800%, penalties on firms weak, Washington Examiner (Feb. 13, 2015), http://www.washingtonexaminer.com/brookings-healthcare-hacks-up-1800-penalties-on-firms-weak/article/2560199

Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (H.R. 3103) (Aug. 21, 1996).

Consumer Affairs, http://www.consumeraffairs.com/news/class-action-suit-filed-against-ucla-health-over-patient-data-security-breach-072315.html (last visited April 2, 2016).

R. Kam & C. Arevalo, A glimpse inside the $234 billion world of medical fraud, Government Health IT (Feb. 8, 2012), http://www.govhealthit.com/news/glimpse-inside-234-billion-world-medical-id-theft.

Michael Ollove, The Rise of Medical Identity Theft in Healthcare, Kaiser Health News (Feb. 7, 2014), http://khn.org/news/rise-of-indentity-theft/.

Stacey Cowley & Liam Stack, Los Angeles Hospital Pays Hackers $17,000 after Attack, N.Y. TIMES (Feb. 18, 2016), http://www.nytimes.com/2016/02/19/business/los-angeles-hospital-pays-hackers-17000-after-attack.html?_r=0.

Tal Yellin, Dominic Aratari &Jose Pagliery, What is Bitcoin, CNN Money, http://money.cnn.com/infographic/technology/what-is-bitcoin/ (last visited April 8, 2016).

.

Poneman Institute, Criminal Attacks: The New Leading Cause of Data Breach in Healthcare

(May 7, 2015, 9:00 am) http://www.ponemon.org/blog/criminal-attacks-the-new-leading-cause-of-data-breach-in-healthcare

Fortune, Whatever You Do, Don’t Get Doxed (Mar. 2, 2016, 10:22am), http://fortune.com/video/2016/03/02/doxing-cyber-espionage/

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/ (last visited March 18, 2016).

.

U.S. Dept. of Health and Human Services, http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf, at pg.8 (last visited April 9, 2016).

National Institute of Standards and Technology, http://www.nist.gov/healthcare/security/hipaasecurity.cfm. (last visited March 17, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html (last visited March 22, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf, page 4 (last visited April 9, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html (last visited March 18, 2016).

University of South Florida, http://www.usfhealthonline.com/resources/key-concepts/hitech-act-summary/#.VvgdMKvAHzI (last visited March 18, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html (last visited March 18, 2016).

Cullen Archer, Does HIPAA preempt state law claims related to privacy of individually identifiable health information?(May 19, 2015), https://www.law.utah.edu/does-hipaa-preempt-state-law-claims-related-to-privacy-of-individually-identifiable-health-information/.

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/ (last visited March 18, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html (last visited March 18, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html (last visited March 18, 2016).

U.S. Dept. of Health and Human Services, HIPAA For Professionals, Compliance Enforcement, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html (last visited February 12, 2016).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-OCR-enforces-the-HIPAA-privacy-and-security-rules/index.html (last visited February 28, 2016).

Department of Health and Human Services, https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf, at pg. 5583 (last visited April 9, 2016).

C.F.R. §160.404 (2013).

C.F.R. §160.410(b) (2013).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html (last visited April 9, 2016).

Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 36 (Conn. 2014).

U.S. CONST. art VI, cl. 2.

Acosta v. Byrum, 638 S.E.2d 246, 249 (N.C. App. 2006).

Sorensen v. Barbuto, 143 P.3d 295, 298 (Utah Ct. App. 2006) aff’d and remanded, 177 P.3d 614 (Utah 2008).

Sorensen v. Barbuto, 177 P.3d 614, 620 (Utah 2008).

Byrne, 102 A.3d 32, 36.

Walgreen Co. v. Hinchy, 21 N.E. 99, 105 (Ind. Ct. App. 2014) on rehearing, 25 N.E.3d 748 (Ind. Ct. App. 2015).

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/ (last visited April 2, 2016).

HIPAA Journal (Dec. 8, 2015), http://www.hipaajournal.com/ny-attorney-general-hipaa-fine-urmc-8206/.

American Medical Association, http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page? (last visited April 2, 2016).

National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (last visited March 28, 2016).

National Law Review, Third Circuit Finds that the FTC Has Authority to Sue Companies for Inadequate Cybersecurity Practices as an "Unfair" Practice (Sept. 6, 2015), http://www.natlawreview.com/article/third-circuit-finds-ftc-has-authority-to-sue-companies-inadequate-cybersecurity (last visited April 2, 2016).

Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).

Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138 (2013).

Robert D. Fram, Simon J. Frankel and Amanda C. Lynch, Standing in Data Breach Cases: A Review of Recent Trends, NA (Nov. 9, 2015), http://www.bna.com/standing-data-breach-n57982063308/.

In re Target Corp. Customer Data Security Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014),

Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015).

Niam Yaraghi and Joshua Bleiburg, The Anthem hack shows there is no such thing as privacy in the health care industry, Brookings (Feb. 12, 2015), http://www.brookings.edu/blogs/techtank/posts/2015/02/12-anthem-hack-health-privacy.

American Hospital Association, http://www.aha.org/content/14/140408--fbipin-healthsyscyberintrud.pdf (last visited April 9, 2016).

Jim Finkle, Exclusive: FBI warns healthcare sector vulnerable to cyber attacks, Reuters (Apr. 23, 2014), http://www.reuters.com/article/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423.

Barbara Filkins, Healthcare Cyberthreat Report, SANS ANALYST WHITEPAPER (SANS INSTITUTE) (February 2014), http://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735.

Stephen Barlas, Hospitals Struggle With ACA Challenges: More Regulatory Changes Are in the Offing in 2015, Pharmacy and Therapeutics, http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4159055/ (last visited April 2, 2016).

Beth Kutscher, Healthcare underspends on Cybersecurity as attacks accelerate, Modern Healthcare (Mar. 3, 2016),

http://www.modernhealthcare.com/article/20160303/NEWS/160309922/healthcare-underspends-on-cybersecurity-as-attacks-accelerate.

CFR § 164.306(d).

Iboss Cybersecurity Team, Rise in healthcare Data Breaches in 2015 threatens HIPAA Compliance, (Jan. 7, 2016), http://blog.iboss.com/executives/rise-in-healthcare-data-breaches-in-2015-threatens-hipaa-compliance

U.S. Dept. of Health and Human Services, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.

Joshua Sutin, Jillian Gordon Foerster, HIPAA Security Rule: What you need to know about Compliance and OCR’s enforcement efforts, Inside Counsel (Jun. 24, 2015).

http://www.insidecounsel.com/2015/06/24/hipaa-security-rule-what-you-need-to-know-about-co?page=3&slreturn=1459271898.

Anna Wilde Matthews & Danny Yadron, Health Insurer Anthem Hit By Hackers, WALL ST. J. (Feb. 4, 2015), http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720.

Holly J. Gregory, Board Oversight of Cybersecurity Risks, Practical Law (March 2014), http://www.sidley.com/~/media/files/newsinsights/publications/2014/03/board-oversight-of-cybersecurity-risks/files/view-article/fileattachment/board-oversight-of-cybersecurity-risks--march-2014.pdf, page 24.

U.S. Dept. of Health and Human Services, http://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf (last visited April 10, 2016).

U.S. Department of Justice Cybersecurity Unit, Best Practices for Victim Response and

Reporting of Cyber Incidents (April 2015), https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf.

Cornell University Law School, https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C/appendix-A (last visited March 22, 2016).

National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (last visited March 28, 2016).