Continuing Fallout of 2015 Data Breach Provides Many Lessons For Other Businesses & Their Health Plans
The $2.3 million (Resolution Amount) data breach settlement and other post breach fallout now bankrupt radiation oncology and cancer care provider 21st Century Oncology, Inc. (21CO) is experiencing after data thieves hacked into the names, social security numbers and other private health and financial data of more than 2,213,597 individuals illustrates why your company and its health plan should make tightening medical and other sensitive data security a top priority in 2018.
While 21CO’s $2.3 million resolution agreement with the Department of Health and Human Services Office of Civil Rights (OCR) announced December 28, 2017 resolves the potentially much larger civil monetary penalty exposure that the Fort Myers, Florida based provider of cancer care services and radiation oncology faced from OCR charges that the hacking and misappropriation of 2,213, 597 individuals’ names, social security numbers and other sensitive electronic protected health information (ePHI) resulted from 21CO’s breaches of the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA), the $2.3 million settlement payment is only a small part of the fallout from the breach that helped push 21CO into filing for Chapter 11 bankruptcy protection in May, 2017.
The $2.3 million settlement and other post-breach consequences 21CO continues to experience from its 2015 data breaches provides invaluable lessons for both health plans and insurers, health care providers and other HIPAA-covered entities, as well as employers and businesses generally, of the importance of taking appropriate steps to manage the security of ePHI held by their health plan and other sensitive personal and other data against hacking or other improper use. and other minimize their own HIPAA breach exposures and ensuring proper compliance with HIPAA and other data security and privacy laws. In considering and planning these breach and other privacy and security prevention and compliance activities for 2018, business leaders in these organizations also should take into account how just enacted amendments to Internal Revenue Code Section 162(f) might impact the tax deductibility of certain compliance expenditures for HIPAA and privacy, data security and other compliance and enforcement activities.
21CO HIPAA Breaches & Fallout
The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant. As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.
Although it knew of the breaches in November and December, 2015, 21CO delayed notifying patients of the data breach for more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.
When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused. However victims of the breach subsequently are claiming being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.
At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues. On December 16, 2015, 21CO announced that a 21CO subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015). Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws. In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA. See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ; See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.
As the breaches impacted more than 500 individuals, 21CO’s HIPAA breaches were considered large breaches for purposes of the Breach Notification Rules. It is the policy of OCR to investigate all large breach notifications filed under the HIPAA Breach Notification Rules.
Based on OCR’s subsequent investigation into these breaches, OCR found:
- 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
- 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
- 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
- 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
- 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).
The Resolution Agreement settles potential charges and exposures to potentially much higher civil monetary penalties that 21CO could have faced had OCR successfully prosecuted charges against 21CO for the breaches. In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete the following corrective actions to the satisfaction of OCR:
- To complete a risk analysis and risk management plan;
- To revise its HIPAA policies and procedures regarding information system activity review to require the regular review of audit logs, access reports, and security incident tracking reports pursuant to 45 C.F.R. § 164.308(a)(1)(ii)(D);
- To revise its policies and procedures regarding access establishment and modification and termination pursuant to 45 C.F.R. § 164.308(a)(4)(ii)(C) and 45 C.F.R. § 164.308(a)(3)(ii)(C) to include protocols for access to 21CO’s e-PHI by affiliated physicians, their practices, and their employees.
- To distribute its policies to and educate its workforce on the updated and other HIPAA policies and procedures;
- To provide OCR with an accounting of 21CO’s business associates that includes names of business associates, a description of services provided, a description of the business associate’s handling of 21CO’s PHI, the date services began and copies of the actual business associate agreement with each business associate; and
- Submit an internal monitoring plan to OCR.
While the financial burden of paying the $2.3 million resolution amount and other costs required to respond to OCR’s investigation and comply with the resulting corrective action plan are significant in their own right, other businesses and business leaders should realize that these settlement costs represent only a small portion of the fallout that often follows a large data breach. In addition to the HIPAA consequences revealed in the December 28, 2017 resolution agreement announcement, it represents only a small fraction of the tidal wave of adverse business and financial consequences experienced by 21CO and its leadership following its March 4, 2016 public disclosure of the breach leading up to its May, 2016 bankruptcy filing. Among other things, the breach announcement lead 21CO to be sued in a multitude of class-action civil lawsuits by breach victims and shareholders. See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits. Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts. See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.
These and other developments also had significant consequences on 21CO’s financial status and leadership. By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements. Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders, default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.
Insurer Funding $2.3 Million Settlement Payment For Bankrupt 21CO
As a result of the bankruptcy filing, the 21CO resolution agreement is the first of what almost certainly will be a multitude of HIPAA resolution agreements with OCR that require bankruptcy court approval to release the necessary funds to pay the required $2.3 million resolution payment. In approving the settlement and payment of the resolution amount, the Bankruptcy Court order directed Beazeley Insurance, the issuer of a breach liability insurance policy issued to 21CO, to make immediate payment to the OCR of the resolution amount and pay other fees incurred by 21CO in connection with regulatory defense as a necessary step to help the struggling company reorganize in hopes of emerging from Chapter 11 bankruptcy.
Settlements Highlight Growing Risks Of Lax Data Security & Privacy Law Compliance Beyond HIPAA
The 21CO resolution agreement announcement also comes when a steady stream of reports of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are stoking government and public awareness and concern about data privacy and cybersecurity legal compliance and protection that reaches well beyond the special requirements made applicable to health plans, health care providers, health care clearinghouses and business associates covered by HIPAA. As a consequence the 21CO breach and HIPAA resolution agreement offer important lessons about the importance of data security and protection well beyond HIPAA and the covered entities and business associates it covers well beyond the HIPAA specific lessons it offers for HIPAA covered entities and their business associates.
For instance, like other businesses that experience data breaches or other cybersecurity events, health plans, health care or other HIPAA-covered entities, commonly also face a host of responsibilities and liabilities under laws and rules that apply both to HIPAA-covered entities and other types of businesses. These exposures include, but are not limited to rules generally applicable to businesses that collect sensitive personal financial or other other sensitive information under rules like the data security and privacy requirements of the red flag and other data security rules of the Fair and Accurate Credit Transactions Act (FACTA) and other Federal Trade Commission, the Internal Revenue Code, Social Security Act, medical information and other employment data, trade secret, and other federal or state identity theft, data privacy and security, electronic crimes and other rules, as well as federal or state contracts, deceptive trade practices, breach of warranty and a host of other generally applicable or industry specific statutory or common laws.
These legal responsibilities, as well as growing concern about data privacy and security, increasingly make data breaches a major business risk for all types of businesses. As 21CO’s experience illustrates, businesses that experience data breaches also commonly experience massive business losses and disruptions; loss of customers, investors and business partnerships; civil litigation from breach victims, shareholders and other investors, and business partners as well as investigation and enforcement actions by a host of federal and state regulatory agencies.
Amid this growing concern, OCR is only one of a multitude of federal and state agencies that are stepping up regulation, enforcement and oversight of the data privacy and security of all types of businesses. In the face of these growing risks and liabilities, all businesses, including but not limited to HIPAA covered entities and their business leaders, face a strong imperative to clean up and maintain their data security and privacy compliance and take other prudent steps to prevent and appropriately plan to respond to and manage data breach and other cybersecurity events.
In response to these growing concerns and exposures, business leaders, investors, insurers, lenders and others in all industries should act to maintain and verify that they and those they do business with are taking appropriate steps both to comply with data privacy and security laws like HIPAA and FACTA, as well as maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.
As a part of this planning, businesses and business leaders also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures. While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:
- Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
- Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
- Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
- In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.
Because the true effect of these modifications will be impacted by implementing regulations and special conditions and rules may impact the tax treatment of the specific payments and their resulting reporting obligations, businesses and business leaders will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.
Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. The author of a multitude of highly-regarded publications and a popular lecturer on HIPAA, FACTA and other privacy, data and information security and other related concerns, Ms. Stamer also has served as the scribe responsible for chairing the American Bar Association Joint Committee on Employee Benefits annual agency meeting with OCR, a planning committee member, speaker and moderator for the ISSA-HIMSS LA annual Information Security Summit and its Medical Privacy Conference, as well as a host of other data privacy security events.
Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes and includes extensive, leading edge work on privacy and data security compliance, investigation, breach and other liability mitigation and defense and other related concerns dating back to 1989 including experience advising and defending companies about HIPAA and other medical privacy, ADA, FACTA, GBL, IRC, Social Security, cybercrime, identity theft, trade secret, electronic crimes, and other privacy and data security exposures.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:
- Confirm Your Benefit Plans Ready For New Disability Determination Rules on 1/1/18
- Individual Accountability For Performance Matters
- Give NLRB Your Input On Union Representation Election Regulations
- 1/18 Deadline To Comment on OCC Child Care Plan Preprint
- IRS Prepares To Nail Employers Under Obamacare Mandate While Giving Some Individual Mandate Relief
- Medical Clinic HIPAA Resolution Agreement Shows Need For Current Business Associate Agreements
- 1/18 Comment Deadline on Office Of Child Care Guidance That Allows Background Check Requirement Delays
- OCR Gives Health Care Providers, Other Covered Entities Post-Las Vegas Shooting HIPAA Medical Privacy Guidance On Disclosures To Family, Media & Others For Notification & Other Purposes
- RAISE Act Immigration Visa, Visa Holder Public Benefit Limits Create Potential Health Industry Concerns
- SCOTUS Bars State Law Restrictions On Health, Other Arbitration Agreement Enforceability
- Health Care, Health Plan & Other Health IT Systems Warned of E-Mail Cyber Attack
- $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI
- CardioNet $2.5M HIPAA Resolution Agreement Schools HIPAA Entities To Clean Up Their Acts
- Hiring & Retaining Workers Growing Business Challenge
- DOL Proposes Changing FLSA Tipped Employee Pay Rules
- Consider Internal Investigation & Defense Costs When Administering Compliance Programs
- Recruiting Qualified Workers Biggest Challenge US Manufacturers See In Otherwise Optimistic 3rd Quarter 2017
- Jennifer A. Abruzzo Named NLRB Acting General Counsel
- Bill Mandating E-Verify, Raising Employer I-9 Penalties Approved By House Judiciary Committee
- Address Workplace Harassment During October Stop Bullying Month
- NIOSH Proposed Updated Occupational Safety Chemical Monitoring Rules
- 2018 Social Security COLAs Set
- IRS Updates Defined Benefit Plan Guidance
- Read Trump Health Care Executive Order
- Dealing With HR, Benefits & Other Headaches From Equifax and Other Data Breach
- Employers Should Manage Potential Unfair Labor Practice Risks From Recording, Acceptable Use, Fighting, Integrity & Other Employment Policies
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved