Federal Sentencing Guidelines | HR & Benefits Update

Managing Evidentiary Consequences Of AI Use

April 8, 2026

Human resources and other business leaders, using or allowing workforce members to CHAT-GPT or other artificial intelligence (“AI”) tools to research, make decisions or to support other activities should ensure that their organizations and their teams understand and manage the resulting evidentiary consequences and responsibilities these activities create.

In today’s AI age, Human Resources directors and other business leaders in increasingly are encouraged to turn to AI tools for a quick understanding of the law, drafting of documents, and a host of other human relations and business functions traditionally performed with the assistance of legal counsel. Although AI tools can be valuable under the right situations and properly used, the use of AI tools, along side of or as a substitute for legal advice obtained within the scope of attorney client privilege can carry a number of inherent risks and challenges. Human Resources and other leaders and their organization should carefully evaluate and manage these consequences before using AI.

AI Searches May Be And Create Evidence

AI prompts, outputs, and related metadata often qualify as discoverable electronically stored information (“ESI”) in litigation, regulatory audits, and enforcement proceedings.

Under the Federal Rules of Civil Procedure, discoverable information includes electronically stored information (ESI”) relevant to claims or defenses. See Fed. R. Civ. P. 26(b)(1); 34(a)(1)(A). Once litigation is reasonably anticipated, organizations must preserve relevant ESI under Federal Rules of Civil Procedure. See e.g.,Hoffer v. Tellone, 128 F.4th 433 (2d Cir. 2025).

AI searches and other interactions and the information and other outputs they produce generally qualify as ESI for purposes of the Federal Rules of Civil Procedure, Federal Rules of Evidence, (hereafter collectively the “Federal Rules”) and comparable federal and state litigation procedural rules.

Likewise, federal and state regulatory and enforcement agencies tend to consider AI and other ESI evidence covered by document retention and discovery rules.

Where applicable, these Federal Rules and agency rules generally include AI and other ESI evidence organizations must preserve, identify, and subject to discovery or other production like traditional evidence in litigation and agency audits and investigations.

ESI evidence generally includes any data stored in electronic form—such as emails, texts, spreadsheets, social media, and Internet of Things (“IoT”) data. As broadly construed by the courts, courts already long have admitted:

Internet search histories;
Internal chats and Slack messages;
Draft documents; and
Deleted files.

AI searches are simply the next evolution of this evidence category. AI records and information considered ESI can include;

AI prompt histories;
Generated outputs;
Embedded AI-assisted drafts;
Platform logs (if accessible); and
Other records.

Organizations that fail to fulfill requirements for AI or other ESI early identification, data authentication and other requirements of Federal Rule of Evidence 902, the requirements of Federal Rule of Civil Procedure 37(e) regarding lost evidence, or other applicable requirements to preserve and produce ESI may result in sanctions, adverse inferences, and penalties under the Federal Rules. Similarly, organizations may incur evidentiary sanctions, regulator penalties, and other adverse consequences for failing to identify, retain and produce ESI from AI or other sources in government audits and investigations. Common sanctions include:

Monetary sanctions;
Evidence preclusion;
Adverse inference jury instructions; and
Other authorized sanctions.

See, e.g., Jones v. Riot Hosp. Grp. LLC, 95 F.4th 730 (9th Cir. 2024) (affirming dismissal as sanction for intentional destruction of ESI); Maziar v. City of Atlanta, No. 1:21-cv-02172, 2024 WL 197561 (N.D. Ga. June 10, 2024) (denying summary judgment and awarding fees based on loss of text messages); McBride v. Moore, No. 2:23-cv-02904, 2024 WL 1136429 (C.D. Cal. Feb. 23, 2024) (denying sanctions where ESI not shown lost or duty not triggered). Gregory v. State of Montana, No. 22-____ (9th Cir. 2024) (reversing sanctions imposed outside Rule 37(e); emphasizing Rule 37(e) as exclusive remedy for ESI spoliation); DR Distribs., LLC v. 21 Century Smoking, Inc., 513 F. Supp. 3d 839 (N.D. Ill. 2021) (recognizing financial prejudice from spoliation and awarding fees); Bistrian v. Levi, 448 F. Supp. 3d 454 (E.D. Pa. 2020) (Rule 37(e) provides exclusive framework for ESI spoliation); Fast v. GoDaddy.com LLC, 340 F.R.D. 326 (D. Ariz. 2022) (failure to preserve mobile device data warranted sanctions).

These and other related cases alert organizations that AI and other modern data sources are squarely within ESI. Courts treat AI, texts, mobile data, and app-based communications as discoverable ESI.

The precedent reflects that the best opportunity to position your organization to show the reasonability of the actions taken is through the existence and enforcement of policies before and during the use of the AI tool.ESI preservation obligations depend on foreseeability, control, and access to data. When deciding the consequences of the unavailability or failure to produce ESI, the determination regarding failure to take “reasonable steps” is fact-intensive. Of course, the failure to retain the documentation will be particularly likely to be found unreasonable where the party was under a statutory, regulatory, ethical, contractual, or other pre-existing obligation to preserve the evidence.

Also, courts require proof of intent to deprive before imposing the most severe adverse inference or dismissal sanctions, a lack of proof of intent to deprive the request requesting party of evidence does not mean there will not be consequences for the non-producing party. Negligent failure to retain and produce ESI and other evidence still carries consequences. Even without bad faith, courts may impose curative measures, fees, or evidentiary limitations.

Similarly, the U.S. Department of Justice Securities and Exchange Commission Department of Health and Human Services Office for Civil Rights Equal Employment Opportunity Commission and other federal and state government agencies are increasingly sophisticated in digital evidence collection.

Among other things, organizations should be prepared to routine and produce documentation and data obtained, utilized, or otherwise interacting with AI tools and it’s associated meta-data and other components to respond to litigation and regulatory request for a broad range of data and information. Optimally the data captured and retained should include, but it’s not necessarily limited to:

AI usage policies;
Employee and other agent AI interaction records;
Evidence of AI and other relevant governance and training; and
Data protection controls.

Consequently, failure to govern, identify, preserve and produce AI-generated and AI-assisted records appropriately can expose organizations to spoliation sanctions, adverse inference instructions, regulatory penalties, loss of privilege protections, and expanded liability exposure.

In recognition of the possibility that AI tool interactions may give rise to obligations to retain and produce ESI evidence created as a consequence of that interaction, or organization should work with legal counsel to develop an administer appropriate practices to monitor, identify, retain, manage, and where necessary produce this ESI evidence.

AI Tools Create Evidence

Beyond considering and meeting documentation and other evidently protection, preservation, and production responsibilities, organizations and their human resources and other leaders need to recognize that the use of the tool itself and its outputs creates evidence that may give rise to legal opportunities, risks, and obligations for the organization.

Organizations should keep in mind that the use of AI tools creates legal evidently risks because AI tools typically generate synthesized responses (not just links) that often incorporate user inputs into outputs that may reflect user intent, knowledge, biases and opinions, and decision-making. This often makes AI interactions particularly valuable evidence for:

Intent (e.g., “how to terminate employee without legal risk”) Knowledge (awareness of compliance obligations) State of mind (deliberate vs. negligent conduct);
Knowledge (awareness of compliance obligations);
State of mind (intentional, willful, or deliberate vs. negligent conduct)

The potential risks of this and other evidence is heightened by the fact that the evidence created may arise not only from the actions taken by the user of the AI tool, but also may be inherently built into the design of the AI tool itself or the databases or other reference materials that it accesses, not all of which may be transparent to the user or the organization that employs the user. These risks are further heightened when the AI tool use is not conducted internally within the organization by its employee, but rather is a tool utilized by a consultant or other third-party provider conducting activities of a sensitive nature on behalf of the organization, such as a recruiting company, investigation, company, or other service provider.

These unique characteristics of AI make it advisable that organizations recognize and manage potentially heightened exposures that employee or other agent use AI tools can produce for the organization in a wide range of sensitive areas.

Examples of queries that can become “smoking gun” evidence include but are not limited to:

In employment or other workforce administration searches, AI queries such as “How to terminate employee with medical condition,” ‘How to avoid claims when, terminating older, disabled, complaining, injured or other employee with protected status, or the like can be evidence of discriminatory or other adverse intent;” or “How to beat a union organizing campaign;”
Compliance & Regulatory searches such as “How to structure payments to avoid reporting requirements,” “HIPAA penalties for disclosure; searches about compliance or looking for compliance loophole; searches where company researched sanctions for noncompliance in areas involved in litigation or enforcement; or searches on risk management that could be evidence the organization saw but chose not to follow rules or standards or otherwise looked for or acted to circumvent compliance or disregarded interpretations less favorable to chosen challenged course of action;
Litigation or Other Defense Strategy searches or tools such as “How to defeat a whistleblower claim,” “Ways to minimize damages in lawsuit” “Protecting your assets from IRS or in bankruptcy,” “How to conceal” or How to hide” orthe like can harm the organization’s interest by showing adverse intent, willfulness, or other motive or state of mind;
Litigation case law, enforcement, argument drafting, or other actions that could reveal or provide insight on sensitive litigation strategies or their strengths or weaknesses;
Financial & Tax searches such as “Aggressive tax strategies unlikely to be audited,” or “contract terms to reclassify employee to contractor,” “Structure transaction to avoid disclosure” or the like; and
Other searches or tool uses that could reflect improper, intent, or document improper activities, such as how to hide evidence, how to create a bomb, how to poison somebody or that creates a record of conduct such as edits to revise data or documentation in reports or records, where the changes are tracked and retained.

Given these other risks, organizations should carefully consider and manage these and other risks when deciding whether, when, how and what AI tools their organizations allow their people to use, who gets to use what tools, designate and train those authorized to use these tools appropriately, and design and implement appropriate tools to track, capture, retain and manage these records of AI use and their implications. Optimally, the planning should identify and work to manage the creation and preservation of evidence and related AI ESI required or otherwise helpful to meet, applicable, regulatory, contractual, statutory, or other requirements in a manner that minimizes the creation of evidence that could call into question the compliance or other appropriateness of the organizations actors.

Privilege and Confidentiality Risks

Asking AI tools to answer legal questions or provide guidance in legal advice obtained within the scope of attorney. Client privilege also can enhance the exposure for the organization and it’s actors because of the implications of that Youts on the availability of attorney-client privilege for the activities and information obtained. Using AI tools and output also can have implications on the ability of an organization to protect legal advice and work product developed and shared within the scope of attorney privileges from discovery in judicial or regulatory actions. Organizations need to recognize risk to the confidentiality of legal advice or work product that entering sensitive legal questions or information into public AI tools not specifically designed and used outside the scope of the attorney-client relationship to avoid creating problematic evidence, disclosing discussions or work product that otherwise might qualify for protect against discovery in litigation or agency proceedings under the attorney-client privilege or attorney work product rules, or both.

Searches conducted by organization employees, consultants, or other agents or representatives about the law, strategies, or legal risks and consequences without or outside the scope of an attorney-client relationship generally can be discovered and used as evidence. Consequently, organizations should regulate the use by officers, directors, compliance officers, human resources directors, consultants, non-legal investigators and auditors and others of AI tools, internet or other searches to investigate the law or legal strategies independent of or outside the scope of attorney-client privilege.

Particularly risky scenarios include:

In-house counsel, Human Resources, risk management or compliance staff using public AI tools;
Employees seeking legal guidance outside approved channels;
Consultants, contractors, and other vendors use of AI in performing tasks or tools;
Embedded AI in software or other tools; or
Uploading contracts, PHI, or proprietary data into AI systems.

Additionally, organizations and others communicating or working with legal counsel on behalf of the organization within the scope of attorney-client privilege to design strategies or investigate or defend actions generally should not use AI tools to conduct their own legal research or analysis without authorization and direction of the legal counsel to avoid forfeiting attorney-client privilege and work product protections.

If the required confidentiality is preserved, the attorney-client privilege and work product privileges rules can protect confidential communications between a client and its attorney and work product prepared for risk management, defense or other purposes of the legal engagement against disclosure in litigation or other proceedings in many circumstances. However these protections are lost if the communication or work product is disclosed to or discussed with third parties outside the attorney-client relationship. Entering factual information, conducting legal searches, or using AI tools outside the attorney-client relationship, not specifically designed to preserve confidentiality, or both to draft or evaluate legal documents, research, drafts, or strategies generally is considered a third party disclosure that can waiver or undermine the privilege for the specific information input to the AI tool as well as potentially related communications or work product.

For these and other reasons, organizations and individuals generally should resist the temptation to use AI tools to evaluate legal strategies, advice or work product.

Trade Secret, HIPAA and Other Data Privacy and Use Exposures

Human Resources and other leaders also must keep in mind their organization’s responsibilities to respect other organizations, intellectual property, to safeguard the confidentiality and security of data, and their organization’s need to protect its own intellectual property.

AI tool enthusiasts promote AI tools as substitutes for legal advice and other paid services. While asking AI to write a “free” policy or contract may seem a great way to save legal or other consulting, licensing or other costs, human resources and other leaders and their organizations must keep in mind that not all data, information and resources obtained through a ChatGPT or other AI search is shareware. Most nongovernmental data bases, contractual firms, tools, templates and other materials accessed through AI searches are or incorporate materials owned or subject to copyrights or other intellectual property protections of third parties. Unlicensed use of these resources can expose their organizations to copyright and other intellectual property infringement liability.

Furthermore, human resources and other executives choosing to use materials drafted using AI tools or otherwise acquired off of the Internet or other sources without legal advice to recognize that acquired materials and resources may not be currently compliant, appropriately tailored to their use, or contain other deficiencies for utilization in their organizations. These deficiencies can arise from a number of sources. For one thing, the queries input by the user may not be sufficiently tailored to adequately represent all of the material considerations necessary to tailor he organizations, questions, and the AI response to the needs of the organization. Also, because AI databases often times include a broad range of historical data, AI responses may rely upon outdated, legal or operational presumptions incorporated into these historical policies when they no longer are appropriate for use in your organization. Additionally, the response of AI may draw from a wide range of sources, including many of which may be sample policies not drafted by qualified individuals with adequate expertise to fully understand the legal and operational implications of the policy and properly draft a policy appropriate for use in the organization, acquiring the form or materials off of the Internet.

Beyond suitability of the information where tool obtained through the AI search itself, unlicensed use of the response, may expose your organization to liability for violating other organizations or authors, intellectual property rights. AI searches can and often do access and incorporate data and other resources protected by third party copyright,trade secrets, HIPAA or other confidentiality, or other safeguards. Accordingly, accessing or using data bases, sample language or forms, or other materials without proper licensing or attribution may trigger liability to individuals and organizations for breaches of these intellectual property rights.

A separate concern arising from the use of AI tools in HR and other business operations to evaluate, formate or otherwise process sensitive data also creates potentially serious risks when theof these tools involves allowing the AI tool to access or uploading the confidential or other sensitive information into the tool. Human resources and other leaders must exercise care not to share inappropriately and to help their organizations use policies and processes to prevent their people’s use of AI tools to avoid violating statutory, regulatory or contractual confidentiality requirements, compromising confidential information, their own or business partner’s trade secrets, proprietary information and other intellectual property, or both.

Furthermore, uploading or sharing trade secrets, Health Insurance Portability and Accountability (“HIPAA”) protected health information, confidential employee, tax or other regulated information, trade secrets or other confidential or sensitive data into AI tools or searches without proper controls may itself breach of HIPAA, trade secret, federal or state privacy laws (e.g., biometric, consumer data laws) or other statutory, regulatory, ethical or contractual data privacy or confidentiality obligations. Additionally, allowing AI tools to access and interact with electronic data or systems frequently triggers data and systems security obligations under HIPAA, the Fair and Accurate Credit Transactions Act, Equal Employment Opportunity and other Human Resources and benefits data, electronic crimes, federal and state government contract, and a broad range of international, federal and state cybersecurity laws and regulations, and other government and private contractual and program participation, statutes, and regulations.

Given these concerns, organizations should avoid using AI tools that require uploading customer, financial, sales, or other data or information that the organization considers its own trade secrets or proprietary information into AI data bases or tools that do not adequately safeguard the ownership and confidentiality of that information.

AI Tool Hallucinations and Other Output Deficiency Risks

AI tools and the output they produce are not always reliable. Among other things, certain AI tools are known to:

Lack the ability to distinguish between more and less credible information sources;
Create plausible-sounding but entirely fabricated facts, news articles, legal authorities, or academic citations;
Create biased, false, incomplete, or inaccurate responses when models lack complete training data, are subjected to biased data, have limited context, ir under other circumstances;
Create false positives such as I dentifying a threat (e.g., in fraud detection) that is not actually present.
Fail to detect a real threat (e.g., in medical imagery) or report other false positives;
Fabricate non-existent, fake information or other incorrect or inaccurate information; and
Engage in hallucinations or other errors

The quality of the response, at best, often varies based on the quality and precision of the question asked. Lack of experience and careful structuring of the questions and inquiries made, lack of specialized knowledge necessary to structure the inquiry to be tailored to the specific needs at hand, and other limitations and concerns about the searches can undermine the accuracy, completeness and relevance of the AI tools output. Accordingly, response obtained by AI tools, often are unreliable and must be validated by a person experienced and skilled. The validation process should be conducted in such a matter that it preserves evidence that changes and responses are made based on thoughtful and reasonable determinations that the evidence obtained was not applicable or reliable, to minimize susceptibility to claims that decisions and actions were cherry picking based on improper intent rather than appropriate quality assurance processes. Organizations allowing the use of the tools and the individuals utilizing them need to understand and appropriately manage the very operational, legal in other risks of these deficiencies and error errors when utilizing AI tools.

Adopt And Enforce AI Policies To Manage AI Tool Use Responsibilities and Risks

Considering these and other responsibilities, human resources and other leaders and their organizations should use care to decide when, how, why, and by whom it allows AI tools to be used in or on behalf of its organization and provide appropriate steps to manage those uses in the resulting ESI to fill its legal obligations and manage its legal and operational risks. Because this process of itself could be evidence impacting, the organizations, legal exposures, organizations generally should work with qualified legal counsel within the scope of attorney-client privilege to work define and enforce policies and practices, to promote the organization’s legal and operational interests and manage the resulting legal obligations.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising and representing governmental and private entities, AI and other technology, workforce and other legal and operational compliance, risk management and other operational and enforcement matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other legal, contractual or operational compliance or risk management, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, technology, data confidentiality, privacy, and security, and other Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.

Author of many highly regarded compliance, training and other resources on these and other operations, risk management, compliance and government affairs concerns, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

In addition, Ms. Stamer currently or previously served as the American Bar Association (“ABA”) Joint Committee on Employee Benefits OCR annual agency scribe and a Council Representative, International Section International Employment Law Committee Chair and International Life Sciences and Health Committee Chair, ABA TIPS Medicine and Law Committee Chair, ABA Health Law Section Managed Care & Insurance Interest Group Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a host of other professional and civic leadership roles. She is a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Managing Evidentiary Consequences Of AI Use | Accommodation, ADA, adea, Age Discrimination, Antitrust, Attorney-Client Privilege, board of directors, Brokers, Civil Monetary Penalties, Civil Rights, Claims, Claims Administration, compliance, conflict of interest, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data breach, Data Security, defined benefit plan, defined contribution plan, Department of Defense, DFAR, directors, Disability, Disability Discrimination, Disability Plans, Discovery, Discrimination, Diversity, Drug Testing, EBSA, Education, EEOC, Electronic Medical Record, Employee Benefits, Employee Handbook, Employer, Employers, Employment, Employment Agreement, Employment Discrimination, Employment Policies, ERISA, Evidence, Executive Compensation, Fair Credit Reporting Act, Fair Labor Standards Act, Federal Sentencing Guidelines, FICA, Fiduciary Responsibility, FLSA, FMLA, GINA, Government Contractors, government employer, government plan, group health plan, health benefit, health Care, health insurance, HIPAA, HIPAA, Hiring, Human Resources, I-9, Identity Theft, Internal Controls, Internal Investigations, Labor Management Relations, Leave, Licensing, Management, OFCCP, OFCCP, OSHA, Protected Health Information, Provider, provider contracting, Public Accommodation, Public Policy, Rehabilitation Act, Reporting & Disclosure, Retaliation, Risk Management, Safety, tpa, Union, Union certification, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

February 4, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the person health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health plans, health care providers, health care clearing houses (“covered entities”) and business associates covered by HIPAA to guard their own system containing protected health information against breach by cyber hacking even as the Department of Labor and other agencies are stepping up their cybersecurity rules, oversight and enforcement.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’sannouncement of the serrlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as warning, ‘Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment based health plans covered by the Employee Retirement Income Security Act (“ERISA”} risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health, health plan and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends HIPAA covered entities, business associates and other organizations on HIPAA and other cyber, privacy and data security concerns and has published and spoken extensively on these concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Comments Off on $1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity | Association Health Plan, Civil Monetary Penalties, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Electronic Medical Record, Emploeyrs, employee, Employee Benefits, Employer, Employers, Federal Sentencing Guidelines, FTC, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Managed Care, Mental Health, pbm, Personal Health Records, Personal Health Recordss, pharmacy, Physician, Plan Admistrator, PPO, Professional Liability, Protected Health Information, Provider, provider contracting, Retaliation | Permalink
Posted by Cynthia Marcotte Stamer

Join 9/8 JCEB Webex To Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement

September 2, 2022

As companies that purchased health insurance and their employees or other individuals who received health insurance from certain Blue Cross Blue Shield entities wait to hear how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes substantial work, publications and presentations on health care, health and managed care, employee plan and purchasing groups, noncompetition and other antitrust compliance concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Comments Off on Join 9/8 JCEB Webex To Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement | Antitrust, Brokers, Corporate Compliance, Employers, ERISA, Federal Sentencing Guidelines, health Care, health insurance, health insurance marketplace, Health Plans, Insurance, Non-Competition Agreement, Public Policy | Tagged: Antitrust, Business Groups, Department of Justice, Employee Benefits, Group Purchasing Organizations, Health Care Competition, Health Care Consolidation, Health Insurer, Health Plan, In Re Blue Cross Blue Shield Antitrust Litigation, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards

October 11, 2021

Federal government contractors and grant recipients should tighten cyber security policies, practices and internal controls to mitigate their exposure to civil False Claims Act claims by the Department of Justice (“DOJ”) under a new DOJ Civil Cyber-Fraud Initiative announced by DOJ last week. The new initiative adds False Claims Act civil liability to the already substantial civil liability that government contractors and other businesses already face for failing to comply with applicable cyber security and cyber breach notifications under federal and state laws. In the face of these added liabilities, federal contractors and grant recipients should act quickly to audit their cyber security and cyber breach practices, tighten cyber security and breach detection; oversight, credentialing and controls over employees, contractors and others with access to facilities and systems and take other appropriate action to prevent and remediate compliance deficiencies and risks.

Federal Government Contractors Bear Cybersecurity Responsibilities

Federal government contractors can face cyber security and breach responsibilities under a myriad of federal laws, regulations and contracting standards which are incorporated into their government contracts as part of conditions for participation in the applicable contract or program. For example, businesses that sell products to the U.S. government generally are required to comply with 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI) set forth in FAR 52.202.21. Companies that produce products used by the Department of Defense (DoD) may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS). DFARS 252.204-7012 requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps. DFARS 252.204-7019 (interim) requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS). DFARS 252.204-7020 (interim) requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA) and requires contractors roll requirements down to subcontractors. Meanwhile, DFARS 252.204-7021 (interim) governs the rollout of the Cybersecurity Maturity Model Certification program over 5 years. These requirements are in addition to any cyber security or cyber breach requirements otherwise applicable to government contractors or grant recipients under laws such as the Fair & Accurate Credit Transactions Act (“FACTA”) that also might apply to other businesses that do not do business with the federal government.

New DOJ Civil Cyber-Fraud Initiative Against Government Contractors Heightens Enforcement & Liability Risks

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.

According to the DOJ announcement, DOJ expects the initiative to:

Build broad resiliency against cyber security intrusions across the government, the public sector and key industry partners.
Hold contractors and grantees to their commitments to protect government information and infrastructure.
Support government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
Ensure that companies that follow the rules and invest in meeting cyber security requirements are not at a competitive disadvantage.
Reimburse the government and the taxpayers for the losses incurred when companies fail to satisfy their cyber security obligations.
Improve overall cyber security practices that will benefit the government, private users and the American public.

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients. According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches.

The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The DOJ’s Civil Cyber-Fraud Initiative does not create new cyber security and cyber breach obligations to promote these goals. Rather, it piggybacks on already existing federal mandates by adding False Claims Act civil liability to the already substantial civil liability that government contractors and grant recipients already risk for failing to maintain and administer their data security and data breach practices in accordance with applicable federal laws. Under the new Civil Cyber-Fraud Initiative, DOJ has signaled it intends to include compliance with applicable cyber security and cyber breach reporting requirements applicable to contractors as part of the obligations of government contractors and grant recipients to comply with applicable law as a condition of eligibility to participate in federal programs and receive federal funds. Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

Companies and individuals found to have violated the False Claims Act generally are liable for treble damages plus a penalty that is linked to inflation. In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows private citizens to file suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government. Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many DOJ Fraud Section investigations and lawsuits arise from such qui tam actions and result in often large recoveries by DOJ and the reporting whistleblowers. As a result of availability of whistleblower recoveries, government contractors should anticipate that disgruntled employees, contractors, or others with whom they do business with knowledge of data breaches or other cybersecurity weaknesses may be incentivized to act as whistleblowers.

Cyber Risks Already Substantial Cyber Risks

The False Claims Act exposure under the new DOJ Civil Cyber-Security initiative adds to the already substantial and mounting risks that government contractors already face under an ever-expanding tapestry of federal, state and in some instances, international statutes, regulations and rulings.

Along with any exposures specifically applicable to it as a government contractor, depending on the nature of the business and the data it collects, the business also likely falls subject to duties to safeguard the confidentiality and security of wide range of electronic or other personal financial, tax and other data under various federal and state laws such as FACTA, the Internal Revenue Code, the Health Insurance Portability & Accountability Act (HIPAA), state identity theft, and a host of other statutes and regulations, contractual agreements, or both.

Due to the nature of their activities and involvements, some of the most significant of these obligations may arise from electronic crime related provisions of the Criminal Code of the United States, which by virtue of their criminal nature trigger potential organizational compliance program responsibilities under the U.S. Sentencing Commission Organizational Guidelines for government contractors and other covered entities such as 18 U.S. Code § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information; 18 U.S.C. § 1029. Fraud and Related Activity in Connection with Access Devices; and 18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers.

However, government contractors also can face cybersecurity responsibilities, breach notification and other obligations and liabilities under a wide range of other civil laws and regulations. For instance, FACTA generally requires covered entities that collect or use certain personal financial information to conduct due diligence, monitor the security of records and adopt disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. As implemented by the Federal Trade Commission regulations, entities with covered accounts must develop and implement written identity theft prevention programs designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Beyond these federal obligations, government contractors, like other businesses, also typically are exposed to liability under a wide variety of cyber security, cyber breach notification and other obligations and liabilities under state laws, regulations and common law. See, e.g. here. While the particulars vary based on the state, the nature of the business, where and how the business collects and maintains its data and other factors, the applicable state electronic confidentiality and data security requirements in most states and under some federal laws increasingly include express duties to take steps to protect data, to monitor from breaches and other threats, and/or to notify subjects of the breached data and in some cases, regulators and the public within a short period after a breach happens. Businesses operating in multiple states typically faces exposure under the laws of each jurisdiction where it operates with data impacted by the breach.

Because cyber security events increasingly create business and financial losses, investigation and defense costs, penalties and other liabilities and costs, cyber security breaches and other events also increasingly that fuel shareholder disclosure obligations and shareholder lawsuits. Indeed, former Securities and Exchange Commission Chair Mary Jo White in May, 2016 characterized cyber security as the biggest risk facing the financial system See here. In response to investor risks from cyber security events, the SEC has required regulated entities to make disclosures about these risks to investors since 2011. See CF Disclosure Guidance: Topic No. 2 – Cybersecurity. Given this guidance, it should come as no surprise that the SEC has imposed substantial fines against entities following a breach. See e.g. R.T. Jones reaches settlement with SEC in data breach case; Morgan Stanley Fined $1 Million for Client Data Breach.

Act To Manage Compliance & Risks

In the face of these added liabilities, federal contractors and grant recipients should act quickly to work with qualified legal counsel within the scope of attorney-client privilege to audit the adequacy of their existing cyber security and cyber breach practices under applicable federal statutes and contracts and other relevant laws and regulations as well as to confirm that adequate breach notification has been made for any existing or past breaches. To the extent that the audit uncovers any potential deficiencies in prior breach notification or other compliance, the federal contractor or grant recipient general will want to seek guidance from legal counsel regarding the advisable steps, if any, to take to mitigate and resolve outstanding liabilities, particularly in light of whistleblower liabilities. In addition to examining past and current compliance risks, government contractors and grant recipients also will want to explore advisable steps and documentation that will position their organizations to demonstrate their appropriate monitoring and maintenance of ongoing compliance or otherwise strengthen their defenses against potential cyber breaches as well as whistleblower and retaliation claims arising from employees or others seeking to use these exposures as leverage for settlements or claims. Given the potential magnitude of the liability, businesses generally not only need to take well documented steps properly to safeguard sensitive electronic sensitive personal information and systems holding or using it as well as be prepared to promptly provide notice in the event of any breach with the short time contemplated by law.

As part of these efforts, businesses and their leaders will want to ensure their compliance efforts include both adoption of all required formal policies, appropriate credentialing of employees, contractors and others accessing systems or facilities, well documented operational compliance and risk audits, documented risk assessment and response, compliance hotline reporting and investigation, suitable up-the-ladder reporting, and other appropriate procedures to facilitate rapid identification of potential concerns and other operational compliance.

Effective internal and external workforce credentialing, training, management and oversight are key to the success of these efforts, particularly because cyber breaches and other data threats often leverage internal access created by workforce infiltration, susceptibilities created by social engineering or other opportunities created from lax workforce or contractor compliance with security controls or both. See, e.g., Insider threat: The human element of cyberrisk.

Effective internal monitoring and reporting protocols also are essential to ensure rapid breach identification, investigation and notification. These protocols also should be developed and implemented to ensure timely disclosure and management of any breaches within required time frames.

In recognition of the typically high financial and operational costs of breach investigation, notification and defense, organizations also should weigh the advisability of securing and requiring business partners to secure cyber insurance or other protection to help mitigate these costs in the event of a cyber event.

While the conduct of these assessments inevitably will require the involvement of outside consulting services, business leaders also are cautioned to use care to take appropriate steps to protect these interactions by arranging to engage these services pursuant to attorney-client privilege to help shield sensitive information likely to be uncovered through compliance, risk management or investigation activities. Likewise, given the short time allowed for breach mitigation and notification, businesses should weigh carefully whether to engage regulatory counsel to assist with the initial breach notification and mitigation, separate and apart from cyber litigation defense counsel that might be available under applicable cyber insurance policies unless the proposed litigation defense counsel has proven cyber and other regulatory knowledge, experience and qualifications handling breach mitigation and notification events.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards | Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, Employers, Federal Sentencing Guidelines, Government Accountability, Government Contractors, government plan, Identity Theft, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Justice Department & Wisconsin Officials Warn Falsifying COVID Vaccination Records Is Federal Crime

September 13, 2021

Federal and Wisconsin officials warned buying or selling fake COVID-19 vaccination records is federal crime and cautioned citizens to protect their records from fraudulent use in a joint press release on Friday.

The warning followed President Biden‘s announcement last week of plans to implement COVID-19 vaccination mandates for healthcare workers, federal government contractors, employers with more than 100 employees and all federal employees. See Biden’s Impending Employer Vaccine Mandates: What Is Known Now.

In the joint press release, attorneys from the US Department of Justice and Wisconsin officials warned the public that any act of creating, distributing, selling, or buying of fake COVID-19 vaccination record cards and any act of forging COVID-19 vaccination information is illegal and punishable under federal law.

The unauthorized use of an official government agency’s seal, such as the Centers for Disease Control and Prevention (CDC), is a crime and may be punishable under federal law under Title 18 United States Code, Section 1017, and other applicable laws.

The press release also reminds Wisconsinites to not post vaccine cards on social media as the information could be stolen to commit fraud.

“If you have not been vaccinated, do not make your own cards or buy fake cards,” said Wisconsin Inspector General Anthony Baize. “If you were vaccinated and your card was not filled out correctly, do not fill in the card yourself. Instead, call your vaccine provider.”

“Public and private institutions, including employers, universities, schools, and businesses, need to be able to rely on the legitimacy of COVID-19 vaccine cards. Our office will use all available tools to prosecute individuals who knowingly falsify vaccine cards,” said Acting U.S. Attorney Richard Frohling.

“Legitimate COVID-19 vaccine cards—like the vaccines themselves—are crucial tools to prevent illness and death. People who are foolish or selfish (or both) enough to supply bogus vaccination cards, allowing others to circumvent COVID-19 curtailment efforts, will be prosecuted to the full extent of the law,” said Timothy M. O’Shea, Acting U.S. Attorney for the Western District of Wisconsin.

The press release also invites persons who know or suspect that any healthcare provider, pharmacy, private business, or Wisconsin resident is creating, distributing, selling, buying or forging COVID-19 vaccination cards in-person or online, to report such conduct to the Wisconsin Department of Health Services, Office of Inspector General (877-865-3432 or http://www.reportfraud.wisconsin.gov); U.S. Department of Health and Human Services, Office of Inspector General (1-800-HHS-TIPS or http://www.oig.hhs.gov); or the Internet Crime Complaint Center (www.ic3.gov).

More Information

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information about the these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com, on Facebook, on LinkedIn or Twitter or e-mail here.

About Solutions Law Press, Inc.™

Comments Off on Justice Department & Wisconsin Officials Warn Falsifying COVID Vaccination Records Is Federal Crime | compliance, Corporate Compliance, COVID-19, Emergency, employee, Employer, Employers, Employment, Federal Sentencing Guidelines, Government Contractors, OFCCP | Permalink
Posted by Cynthia Marcotte Stamer

HR & Benefits Update

Managing Evidentiary Consequences Of AI Use

AI Searches May Be And Create Evidence

AI Tools Create Evidence

Privilege and Confidentiality Risks

Trade Secret, HIPAA and Other Data Privacy and Use Exposures

AI Tool Hallucinations and Other Output Deficiency Risks

Adopt And Enforce AI Policies To Manage AI Tool Use Responsibilities and Risks

For More Information

About the Author

About Solutions Law Press™

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

Banner Health Settlement

OCR Warns Other HIPAA-Covered Entities

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards

Federal Government Contractors Bear Cybersecurity Responsibilities

New DOJ Civil Cyber-Fraud Initiative Against Government Contractors Heightens Enforcement & Liability Risks

Cyber Risks Already Substantial Cyber Risks

Act To Manage Compliance & Risks

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Justice Department & Wisconsin Officials Warn Falsifying COVID Vaccination Records Is Federal Crime

More Information

About the Author

About Solutions Law Press, Inc.™

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Solutions Law Press HR & Benefits Update