Ransomware has become a major threat to electronic records systems worldwide. The US government reported recently that there have been 4,000 daily ransomware attacks so far in 2016! This represents a 300% increase to the number of attacks that occurred in 2015. Hospitals and other healthcare organizations have become popular targets for ransomware attackers. Nearly one half of all U.S. hospitals reported at least one ransomware attack during the past year. The healthcare industry is especially vulnerable because ransomware attacks can block access to Electronic Medical Records (EMR) which can result in patient care services being disrupted. Hospitals and other healthcare providers are updating their Continuity of Operations Plans to address prolonged loss of the EMR and rapid implementation of back-up electronic or paper systems.
The rise in ransomware attacks in the healthcare industry has also led to many questions about HIPAA compliance before, during and after an attack. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) issued guidance on July 11, 2016, to address some of these questions. OCR is responsible for HIPAA enforcement and responding to complaints alleging HIPAA violations. The way in which OCR views the interaction of HIPAA and ransomware is relevant for every healthcare organization and every HIPAA business associate. Here are some key take-aways from the OCR guidance:
- A ransomware attack constitutes a “security incident” under the HIPAA Security Rule, and once the ransomware is detected, the covered entity or business associate must implement its security incident response and reporting procedures. The high incidence of ransomware attacks on healthcare providers means that every provider should be conducting exercises to test their security incident and response procedures using ransomware based scenarios.
- A ransomware attack will probably result in a reportable data breach as defined by HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act). The ransomware virus works by encrypting data within the EMR so that it cannot be accessed by users. The OCR guidance makes clear that when electronic Protected Health Information (ePHI) is encrypted as a result of a ransomware attack, a data breach has occurred. This is because the act of encryption means the ePHI was “acquired” by the attacker which is an unauthorized disclosure of the ePHI under HIPAA. Unless the covered entity or business associate can prove that there is a “low probability that the ePHI has been compromised” under the Breach Notification Rule, then the breach must be reported.
- Congress is calling for HHS to declare that every ransomware event is automatically a reportable breach, but the guidance does not go that far. The covered entity or business associate that is the victim of a ransomware attack can attempt to demonstrate that there is a low probability that ePHI has been compromised as a result of the attack so that no breach notification is required. The burden of proof is squarely on the covered entity or business associate to prove this. The documentation supporting this determination must be rock-solid, since it could be challenged later. The guidance requires the covered entity or business associate to act in good faith in making this determination and to retain the documentation supporting its determination.
- Even if the ePHI is encrypted within the EMR, the guidance makes clear that a ransomware attack might still be a reportable breach. There must be a fact-specific investigation about how the ePHI was being used at the moment of the ransomware attack in order to determine whether a reportable breach has occurred.
The threat of ransomware is not going away. New viruses are being developed and deployed every single day. Every healthcare organization must assume that it will be attacked by ransomware in the near future and prepare accordingly. This means updating your security incident response plan, educating employees about the ransomware threat, conducting realistic exercises simulating a ransomware attack to identify gaps in your organization’s response, and addressing those gaps quickly.
For additional information, please contact Troutman Sanders Partner and Healthcare Practice Leader, Steve Gravely, at email@example.com and Troutman Sanders Partner, Erin Whaley, at firstname.lastname@example.org.
July 14, 2016 No Comments
On July 8, European Union member states approved the Trans-Atlantic Privacy Shield data transfer deal, finally paving the way for the pact to be formally approved by EU and U.S. officials on July 12.
The Article 31 committee, which is made up of representatives of each EU member state, held their highly anticipated final vote on the Privacy Shield, which EU and U.S. officials revealed in February, to replace the longstanding safe harbor data transfer deal that was struck down last year by the European Court of Justice.
The Article 31 committee’s approval comes after many months of criticism from various EU bodies of the European Commission’s initial February proposal, including the European Parliament, the Article 29 Working Party, and the European Data Protection Supervisor. The Article 29 Working Party in particular expressed concerns over the February proposal for its lack of a data retention principle and data processing purpose limitation, as well as issues of onward data transfer and EU individuals’ right of redress.
Commenting on the approval of the Privacy Shield, Andrus Ansip, Vice President for the Digital Single Market on the European Commission, and Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, said in a joint statement:
Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows. This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running. The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms. During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence.
We previously wrote here that the need for a new privacy shield came about in light of the Snowden revelations, when an Austrian privacy activist named Max Schrems brought suit against Facebook for its alleged transfer of personal data to the United States’ National Security Agency (NSA), as part of NSA’s PRISM program. Schrems’ “Europe v. Facebook” group filed suit against Facebook in Ireland with the Irish Data Protection Commissioner. On June 18, 2014, the suit before the Irish High Court was referred to the Court of Justice of the European Union (CJEU). The central question of the referral was the legitimacy of the European Union’s granting of “Safe Harbor” status to the United States when it came to the transfer of personal information.
On September 23, 2015, the CJEU found that with respect to the powers of national supervisory authorities, the European Commission may adopt a decision that a third country ensures an adequate level of protection that is binding on all member states and their organs, including national supervisory authorities. However, a European Commission determination, such as the Commission Decision 5000/250 that first found the Safe Harbor “adequate,” does not prevent a national supervisory authority from examining claims lodged by individuals concerning the processing of their personally identifiable information (PII). In fact, “[w]hile the Advocate General (of the CJEU) acknowledges that the national supervisory authorities are legally bound by the Commission decision (on the Safe Harbor) … such a binding effect cannot require complaints to be rejected summarily.” Thus, the CJEU found that the Safe Harbor program was inadequate insofar as it allowed for government interference with individual privacy rights, it failed to give individuals violated a means of redress, and it prevented national supervisory authorities from exercising their powers on behalf of their citizens.
Since then, companies have been eagerly anticipating a new privacy shield as the EU member states and the U.S. engaged in dialogue for months. Today’s announcement marks a significant step towards reaching a final agreement.
Even with the expected approval by the EU and U.S. on July 12, there is very real risk that the Court of Justice may deem the new arrangement invalid as well. Max Schrems, the privacy activist, has already vowed to challenge the new Privacy Shield in EU courts. Therefore, the new Privacy Shield may be short lived once it is enacted.
July 8, 2016 No Comments
We are pleased to announce that Troutman Sanders partner Ronald I. Raether, Jr. will be a featured speaker at the American Conference Institute’s 13th National Forum on Cyber & Data Risk Insurance in New York City on July 29, 2016.
Ron will participate on a panel entitled, “Working Toward Prevention of the Breach: What Do Phishing Incidents Look Like?; How Do Forensic Investigations Take Place?; and Are There Ways to Try to Prevent the Breach?” The panel will discuss the differences between phishing, spearphishing, and malware, and what it looks like if a company has a problem. Additionally, the panel will address the most frequent causes of data breaches, procedures and processes for timely identification of potential data breaches, and provide practical tips for being proactive and preventative, and for training employees to ensure the security of sensitive information.
For additional conference information or to register, click here.
June 28, 2016 No Comments
The Federal Trade Commission (“FTC”) and Florida have settled charges against Vast Tech Support LLC, OMG Tech Help, their founder and COO Mark Donohue, and related companies regarding claims of deceptive marketing of computer software and tech support services. The settlement continues the FTC’s trend of enforcement actions that target scammers who scare consumers into buying expensive and unnecessary computer repairs and tech support services.
The settlement prohibits Vast Tech, OMG Tech Help, and Donohue from misleading consumers regarding the nature of products they sell or market and prohibits deceptive telemarketing. The settlement also prevents Vast Tech and OMG Tech Help from advertising, promoting, or selling tech support products and services.
The FTC filed the case, pending in the United States District Court for the Southern District of Florida, in 2014 as part of a group of actions against Florida-based tech support scammers. The FTC claims the parties violated the Telemarketing Sales Rule, the FTC Act, and the Florida’s Deceptive and Unfair Trade Practices Act.
In the schemes, the companies used software to trick consumers into believing they were having problems associated with their computers. The scammers then directed consumers to telemarketers who employed high pressure sales tactics to convince consumers to buy costly tech support services. The scammers claimed the free software program PC HealthBoost would improve computer speed and protect against errors and crashes. Instead, the program falsified reports that tricked consumers into believing hundreds or thousands of errors existed on their computers that needed fixing. Co-defendant Boost Software encouraged consumers to pay almost $30 for a registered version of PC HealthBoost to fix phantom software problems. In order to activate the registered version, consumers called Vast Tech’s call center, which was operated by OMG Tech Help. During the calls, operators obtained access to consumers’ computers and ran more false diagnostic tests. The results from the false tests “scared consumers into spending hundreds of dollars on unnecessary computer repairs,” officials said.
In the settlement, Vast Tech and OMG Tech Help agreed to the entry of judgment against them for over $27 million and agreed to surrender their assets to a court-appointed receiver, who will liquidate the companies. Vast Tech COO Mark Donohue consented to entry of judgment individually for more than $9 million. The settlements also impose compliance monitoring and reporting requirements.
The settlement comes less than one month after the FTC added three new defendants and new charges in a tech support scam case pending in the United States District Court for the Eastern District of Pennsylvania and continues the trend in litigation and enforcement actions, which began in 2011, targeting companies that allegedly operate scams to sell tech support services. The settlements and litigation, coupled with the FTC’sApril 2016 consumer alert, demonstrate the FTC’s commitment to working with State Attorneys General to combat scams designed to defraud consumers and take advantage of consumers’ insecurities regarding their technology needs and uses.
June 27, 2016 No Comments
On May 20, PayPal entered into an Assurance of Voluntary Compliance (AVC) with the Texas Attorney General over allegations that it failed to clearly explain how the personal information belonging to users of its Venmo mobile payment application would be used and with whom it would be shared.
The AVC stems from Texas Attorney General Ken Paxton’s investigation into potential violations of the Texas Deceptive Trade Practices Act by Venmo, a popular money transfer app and social network that allows users to electronically pay others by using linked bank accounts or credit cards that PayPal acquired in December 2013.
According to a press release issued by Paxton, his office’s Consumer Protection Division found a number of issues regarding the safety and security of the Venmo app. Investigators allege that Venmo used consumers’ phone contacts without clearly disclosing how the contacts would be used, did not clearly disclose how consumers’ transactions and interactions with other users would be shared, and misrepresented that communications from Venmo were actually from particular Venmo users.
In order to resolve the regulators’ claims, PayPal has agreed to improve the disclosures that the Venmo app presents to consumers regarding privacy and security, and to work to ensure that consumers understand the safeguards available on the app, who will be able to view their transaction data, and who is sending them communications.
PayPal will also be required to make sure that the disclosures it makes about the app’s security features are “true and correct” and to “clearly and conspicuously” disclose the audience setting for any transaction at the time it is submitted as well as any optional security features an app user may take advantage of, according to the settlement. Specifically, PayPal must stop accessing Venmo users’ contact lists without first clearly disclosing the type of information that will be accessed, the specific ways in which it will use the data, and how to use and disable the Autofriend feature within 90 days.
PayPal will pay $135,000 to the state of Texas and $40,000 for reimbursement of attorneys’ fees to the Texas Attorney General.
May 31, 2016 No Comments
Citing the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, a Maryland District Court judge remanded a putative data breach class action for lack of Article III standing and subject matter jurisdiction. The opinion serves as an early indication of the added hurdles facing prospective data breach class action plaintiffs underSpokeo.
Plaintiff Fardoes Kahn brought her action against Children’s National Health System (“CNHS”), alleging that her personally identifiable information (commonly referred to as “PII”) was exposed when hackers gained access to the email accounts of certain CNHS employees. Judge Theodore D. Chuang held that Kahn had failed to allege a concrete injury in fact.
Quoting Spokeo, Judge Chuang dismissed Kahn’s claims alleging violations of state statutes: “Article III standing requires a concrete injury even in the context of a statutory violation.” Judge Chuang held that underSpokeo, a bare procedural harm under a federal statute, divorced from any concrete harm, would not satisfy the injury in fact requirement. “Here, where Khan alleges violations of state law, she advances no authority for the proposition that a state legislature or court, through a state statute or cause of action, can manufacture Article III standing for a litigant who has not suffered a concrete injury.” Judge Chuang noted that Kahn’s factual allegations fell short of a concrete injury, as there was “no indication that the patients’ personal data was actually viewed, accessed, or copied, or was even the target of the phishing scheme.”
The Spokeo decision is expected to have a significant impact on class action data breach claims predicated on violations of state and federal statutes. As this decision indicates, plaintiffs hoping to survive a jurisdictional challenge under Spokeo must allege a concrete harm, not a mere “bare procedural” statutory harm. See this blog’s further discussion of the Spokeo decision here.
May 27, 2016 No Comments
Richmond partner Erin Whaley’s discussion at the recent HIMSS Privacy & Security Forum about data breaches and privacy and security regulation issues companies face – and tips on how to avoid them – was featured in a May 12 Healthcare IT News (6 privacy landmines and how to avoid stepping on them). The forum, which was held in Los Angeles, is a national event dedicated to privacy and security in the healthcare field. Healthcare Finance also ran the article (Cybersecurity insurance, business agreements among major healthcare privacy pitfalls) on May 13.
May 16, 2016 No Comments
The healthIT world descended on Las Vegas in March for HIMSS16, the world’s largest conference for all things healthcare digital. Over 42,000 attendees networked and shared ideas about everything from cyber-security to interoperability to health IT policy. Here are our key take-aways: [Read more →]
April 8, 2016 No Comments
San Francisco partner Mark Mao and Richmond associate Reade Jacob had their article – “Why 2016 Will Be a Big Year for Big Data” – published January 13 in Law360. “The coming year will raise many questions about how e-commerce, social media and ‘ad tech’ may continue collecting and using consumer data. Last year, legal developments left organizations that store and collect consumer information to wonder: (1) What are the limitations of data collection on the Internet; (2) how can data be used; and (3) what are ‘best practices’ going forward?” the duo lay out in the opening of their article. [Read more →]
January 14, 2016 No Comments
2015 Revisions to the Federal Rules of Civil Procedure Effective Today: 5 Key Practice Pointers to Meeting the New Requirements
Today is the big day! New amendments to the Federal Rules of Civil Procedure (“Rules”) become effective. Are you ready? Details about the revised Rules, including the text of the Rules, redlines, and detailed comments are available here (and we will post additional information on each key provision in the coming weeks). The focus of this post is answering one simple question: how will these changes impact the way you handle discovery? To comply with the spirit and the letter of these rule changes, you may need to make some adjustments to your discovery practice.
The revised Rules emphasize case management and proactive discovery by adding several mechanisms to front-load discovery decisions and emphasize proportionality in the discovery process. They also provide guidance for when sanctions for failure to preserve electronically stored information (“ESI”) are appropriate. How courts will apply these Rules is subject to debate, but if you adhere to the five practice pointers below, you should be in good shape to avoid sanctions, reduce risks, and get to the merits of your case without a discovery sideshow.
[Read more →]
December 1, 2015 No Comments