Avoid Turning One Data Breach into Two

Miles & Stockbridge P.C.

When can a data breach get worse? When the process of notifying victims creates a second breach. Take the example of a cancer treatment center that recently paid $425,000 to settle allegations that included a faulty notification process following a breach. The story provides an important lesson.

One Breach Leads to Another
It began with a spear phishing attack. Employees at the facility fell victim to the attack and their email accounts were compromised. The result: protected health information and other patient records were exposed. The data included health records, driver’s license and Social Security numbers, and financial information, such as credit card numbers. In order to notify its patients of the breach, the center engaged a third party vendor that notified more than 13,000 next of kin instead of the patients themselves, thereby creating a second data breach.

The State of New Jersey Division of Consumer Affairs investigated possible violations of the state Consumer Fraud Act as well as the federal Health Insurance Portability and Accountability Act (HIPAA). Although it did not admit liability, the center paid the settlement and agreed to heightened security measures that included training its employees.

Moreover, the center agreed to develop, implement, and maintain “a written incident response plan and cybersecurity operations center.” This center will foresee the likelihood of a data breach and be prepared to act – this time correctly – to remedy damage caused by the breach.

Be Fully Prepared
Although training employees remains a crucial component of a cybersecurity program, every company also should prepare in advance to provide the notification required in the event of a breach. In addition to training employees how to forestall cyber incidents, employees also play a critical role in a company’s detection of cyber security incidents and incident response. Employees should be made aware of the vital role they can play in detecting and reporting suspected data breaches or other cyber incidents. Especially in the age of increased remote work since the start of the COVID-19 pandemic, it is now harder than ever for IT departments to maintain visibility regarding the cyber threats and exposures facing their networks. Promoting a “see something, say something,” culture, even for what may appear to be minor issues, can be invaluable in prompt detection and investigation of cyber incidents.

Covered entities must have written policies and procedures in place regarding cyber incident response plans, including notification. They also must train employees on its notice policies and procedures, including developing and applying appropriate responses for workforce members who do not comply. Waiting until the breach occurs to toss together a response unnecessarily increases the opportunity that one breach may lead to two.

If A Breach Occurs, Seek Counsel
If you suspect a breach of protected health information or any other personal data, follow your protocol and seek legal counsel. One of the first important steps is to assess if notice of the breach is necessary. Your legal counsel can help guide you through this and these other important considerations:

  • Understand the notice requirements and when they are required. For example, notice is required only with the disclosure of “unsecured protected health information,” which generally is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.
  • Know how to assess whether there has been a formal breach. If there is a low probability the protected health information has been compromised, you may have other options.
  • Understand when it is appropriate to perform a risk assessment, and document carefully your assessment. Risk assessments include a full evaluation of the circumstances of the disclosure as well as any immediate mitigation efforts taken.

If notice of a breach is required, proceed with caution:

  • Be aware of any state level obligations. Most states have corresponding HIPAA statutes, which may require additional notifications not included in the federal law (for example, you may need to provide notice to your state’s Attorney General’s Office).
  • Similarly, if the breach involves other categories of personal data outside the scope of HIPAA, each state has its own data breach notification statute, many of which vary regarding what is considered personal data subject to a notification requirement, notification exceptions, the deadlines for notifications, notice content requirements, and whether there is required notification to third parties including state attorneys general and/or consumer reporting agencies. These laws apply based on the affected person’s state of residence, so often a multi-jurisdictional notification plan must be developed.
  • Confirm if the responsibility to provide notice lies with a Business Associate. Even if it does, confirm with the Business Associate that appropriate notice has been provided, and request documentation.
  • Know how many individuals are involved in the breach. Notification obligations change depending upon the volume of individuals impacted.
  • Keep your client contact information up to date. Notification to next of kin is appropriate only when a patient is deceased and only when the identified next of kin has the legal authority to act on behalf of the deceased under state law.
  • Pay attention to your timeline. Federal law requires that notifications be made within a certain timeframe, generally within 60 days of the disclosure. Similarly, several state laws have short data breach notification deadlines and most require that notification occur as soon as reasonably possible.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miles & Stockbridge P.C. | Attorney Advertising

Written by:

Miles & Stockbridge P.C.

Miles & Stockbridge P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.