There is an epidemic of cyber security breaches of consumer’s personal information- no doubt about it. At a fast and furious pace, cyber attacks on hospitals are seemingly coming from anywhere and everywhere. With each breach, hackers’ show increasing boldness and sophistication. Health systems have become a one-stop shop for cybercriminals who not only steal valuable credit card information, but also access even more lucrative confidential patient information. Unlike a credit card that can be cancelled, when personal health information is stolen, the stolen information is at risk of being used illicitly for the rest of the victim’s life because it contains valuable identifying information (such as social security number, birth date, employment record, family member medical history, genetic information and personal health history).

How much information is being stolen?  One recent example involves Banner Health. Over 3.7 million of Banner’s health plan members’ sensitive patient information and valuable payment card information was hijacked. Banner is only one of at least 13 reported health information data breaches that occurred in the single month of August, 2016. The numbers of patients’ personal information being hacked are staggering: For example, 655,000 Bon Secours patients were also exposed to a data breach within just days of the Banner breach.

The number of patient records violated by these recent breaches still pales in comparison to the potential number of overall health records that can be hacked in one fell swoop: In the largest healthcare breach to date, 80 million personal records were stolen from Anthem in 2013, occurring just shortly after the FBI warned that hackers are now targeting health care.

These health care providers are not alone: There have been four reported cyber-thefts of Kaiser Permanente members’ records in the last five years. Healthcare has taken the lead for the most frequently targeted industry for cyber attacks cyber attacks, (edging out even the banking industry.)

No one is immune: Every industry, person, company, and government is at risk for a cyber attack. Over half a billion personal records were stolen or lost in 2015, ransomware increased by 35%, and 9 mega-breaches occurred. Soberingly, most companies are still not reporting the full extent of their security breaches, likely due to commercial reasons. Cybercriminals function in a myriad of ways from infiltrating and paralyzing entire systems and holding them for ransom, to stealing personal data and selling it in an underground market. As economic and political opportunities continue to flourish around breached cybersecurity, so too have the opportunities in the healthcare setting.

What can a consumer whose information has been cyber-stolen do about it? For a long time, there was no remedy. Fortunately, times are changing and there are potential remedies available:

  1. California Medical Information Act

California has one of the more progressive state laws protecting consumers. California Medical Information Act (CMIA). California Civil Code Section 56 et seq. provides:

“No health care provider can disclose or release medical data about a patient without authorization.”

A $4.1 million dollar settlement was paid by Stanford Hospital after 20,000 patients’ bills with sensitive, private patient information was posted online.  The data was posted by Stanford’s business partner it contracted with for purposes of the patients’ emergency room bills.

Settlements under the CMIA are not always a “slam dunk” when cyber hacking of patient records occurs. The California Court of Appeals has attempted to limit liability under the CMIA in the following ways in order for a consumer to win under the CMIA :

     (a)     Disclosure of “individually identifiable information” has been required, such as the patient’s medical history, (such as mental or physical condition) or treatment. Eisenhower Medical Center v. Superior Court (Riverside County) 226 Cal.App.4th 430 (2014).

     (b)     Negligence. While some courts have required proof of negligence, the CMIA does not expressly require this. The California Supreme Court could well find that based on the legislative history, this is a strict liability statuteIn the mean time, negligence may not be difficult to prove. The U.S. Food and Drug Administration (FDA) has found that the most common causes of medical records being hacked include lax password distribution, disabled, weak and/or absent passwords, lack of updated security software and lack of encryption. Who can argue that such rookie moves in the handling of voluminous and sensitive patient information is not negligence? In fact, criminal recklessness comes to mind!

     (c)     Proof: Unauthorized person actually viewed the medical information: It is this proof that an unauthorized person actually viewed the information that has been most difficult for a consumer to establish.  For example, in Regents of the University of California v. Superior Court, 220 Cal. App.4th 549 (2013), a UCLA physician’s laptop containing thousands of patients’ electronic charts was stolen.  Because the patients couldn’t allege that the data was illegally “disclosed” after it was stolen, the case was kicked out. Left uncertain after the UCLA case was whether proof of disclosure was enough for a lawsuit to go forward. While the California Supreme Court has yet to rule on the issue, another Court of Appeal case holds that even disclosure alone isn’t sufficient: a plaintiff must prove that the “stolen medical information was actually viewed by an unauthorized person.” Sutter Health v The Superior Court of Sacramento County (Atkins), 227 Cal.App.4th 1546 (2014). The court held that mere possession of medical information or records by an unauthorized person was insufficient to establish a breach of confidentiality if the unauthorized person has not viewed the records.

All is not lost for consumers: There the California Supreme Court has yet to rule on these issue, and the California Supreme Court could well find that the legislative history imposed no such restrictions on recovery.  Further, as outlined below, federal lawsuits have eased requirements for similar lawsuits.

  1. Federal Class Actions

Recently, there have been pro-consumer decisions rendered by multiple federal Courts of Appeal in consumer class actions.

For example, in September, 2016, the United States Court of Appeals held in Galaria v. Nationwide Mutual Insurance Co. __F.3d. __ (6th Cir. 2016) that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints. The court reasoned that where Plaintiffs already know that they have lost control of their data, it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security….Where the Plaintiffs allege they and  other putative class members must expend time and money to monitor their credit, check their bank statements, and modify their financial accounts, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement.

Similarly, the court in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2016) reasoned: “[w]hy else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make a fraudulent charge or assume those consumers’ identities.”  This is consistent with the Court of Appeal’s rationale in Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), where restaurant customers’ credit-card data was stolen in a data breach, because a “primary incentive” for a breach is to commit fraud.

Closer to home, the Ninth Circuit (which includes California) similarly found standing in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), where employees brought suit after a thief stole a company laptop containing their personal information.

Not all federal Court of Appeals decisions are in favor of consumers on this point.  The Third Circuit reached a different conclusion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). In Reilly, a hacker broke into a payroll processor’s network, but it was not clear “whether the hacker read, copied, or understood” the personal data stored on the system.  The plaintiffs whose data was in the system alleged an increased risk of identity theft, but the court concluded that the injuries were too speculative because there would be an injury only, “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully.”  The Third Circuit also distinguished the case from data-breach cases where courts found standing: “Here, there is no evidence that the intrusion was intentional or malicious.”

The pro-consumer decisions in the federal courts may conceivably open the way for similar findings in class actions under the California statute, and the California statute provides for penalties of $1000 per person in addition to actual damages (such as costs associated with changing bank accounts, freezing credit etc.), and the defendant would have to pay all attorney’s fees.

Stay tuned as the state and federal courts scramble to keep up with the raging technological advances that allow cyber-thieves to remotely and repeatedly steal your most cherished private information with the click of a mouse.

If you or someone you know has had their personal medical information or other personal data stolen by a cyber attack in California, please contact us using the button at the bottom of this page, or call 619-238-8700.

0

heading_departmentEight California hospitals were fined a total of $483,650 for serious issues in patient care, according to a report released Thursday.  The fines, levied by the California Department of Public Health, came after the Department’s investigations discovered non-compliance with licensing requirements which “caused, or was likely to cause, serious injury or death  to patients.” The fines ranged from $47,025 to $86,625 per hospital.

Administrative penalties are issued to hospitals under authority granted by California Health and Safety Code Section 1280.1. Newly adopted regulations allow the Department to assess an administrative penalty for incidents occurring on or after April 1, 2014, against a specified licensee for a deficiency constituting an “immediate jeopardy” violation up to a maximum of $75,000 for the first administrative penalty, up to $100,000 for the second, and up to $125,000 for the third and every subsequent violation within three years.

San Diego’s Vibra Hospital was among those fined.  Vibra was fined $47,025 in connection with a patient’s brain damage and death in 2014, attributed to staff ignoring signs and alarms that should have alerted them that a breathing ventilator had become disconnected, as reported by the San Diego Union Tribune.  A full report of the incident can be found on the Department of Public Health’s website.  The fine was noted as the hospital’s first “immediate jeopardy” administrative penalty since the program began. Vibra was also required to submit a “plan of correction” to California’s health regulators.

Licensing requirements exist to protect us from the increasingly consolidated, powerful, and for-profit medical industry.  As patient-advocates, and members of the community, we applaud these recent regulatory measures by the Department of Public Health.  At the same time, we question whether a $47,025 penalty for a preventable injury that ended a patient’s life sends a strong enough message of the value we place on patient safety.  Ultimately, it is not the amount of a single fine that will keep us safe. Safe care is brought about by long-term attention and support from consumers — and voters — for vigilant oversight of the medical industry.

0

In the spirit of thankfulness and as we approach the full gale of the holiday season, here are some true heroes to keep in mind: family caregivers. Some astounding figures according to AARP (American Association of Retired Persons):

  • 39.8 million Americans – 16.6 % of the population – are giving unpaid care to an adult.
  • If provided by paid workers, this care would cost $470 billion annually.
  • 18% of caregivers take care of two or more adults.
  • 13% of caregivers are assisting a friend or neighbor.
  • 2 million Americans care for their own adult children.
  • 40% of caregivers are men.
  • 7% of caregivers live more than two hours away from the person they help.

Just published for National Family Caregivers Month, November, 2015, here are some tips for respite: http://caregiveraction.org/national-family-caregivers-month.  “Respite” is relief or rest for the caregiver.  Giving a gift of respite to those who care for others is a wonderful way to show them they are appreciated and not forgotten.

Happy and Restful Holidays

0

With the coming of Breast Cancer Awareness Month in October, it’s a good time to talk about charity scams.   Our firm handles fraud actions in the healthcare context, and scams burn us up.    Do some research — know your donation dollars are going to actually support breast cancer research and programs.   As one site put it, “Think Before You Pink.”   This includes not just donating, but purchasing products which purport to give to breast cancer research.

Look for well-established charities, ones that are transparent about how funds are spent, and especially those that will disclose financial records.

My family recently decided to donate an older family car to the fight against breast cancer.  We found a site coming up first on internet searches.  A call to the site number had a representative saying suspicious things.  We did more research.  Good thing.  On further research, the charity appeared convoluted, difficult to track, and was criticized for not being reliable for charitable giving.  For example, it appeared that the charity took in $5.7M in revenues in 2013, but their expenses claimed were $5.65M.  The Form 990 on file with the IRS showed that very little money actually went to a true charitable purpose.   Do we know whether it was a trustworthy charity?  No, there was not enough out there to assure us, and plenty to raise red flags.   In the end, the car went not to them, but to a different charity with solid figures and accountability.

If you think the warm, fuzzy charity that is tugging at your heartstrings is worth your $$, make sure it can support its claims.   Try this link set up by the California Department of Justice: https://oag.ca.gov/charities.  Put the name of the charity to which you’d like to donate in their Charity Research Tool.   Be cautious if your charity does not appear, and do further research.   You also may want to take a look at this scary recent news clip:  http://www.cnn.com/2015/05/19/us/scam-charity-investigation/.  Bottom line:   Sadly, charity scammers are out there, and you’ve got to be vigilant so you don’t get “pinked in a wink.”

0

In what industry, other than health care, are consumers expected to make life-altering decisions about who to hire (for the most important job — their health) without the slightest idea what their services will cost?

CR-Health-II-California-Project-Logos-09-15A new website clears some of the fog surrounding health care value in California.  A tool on the site allows consumers to compare California hospitals and health care providers on both cost and quality. But health insurers may be making a play to render it useless.

The $3.9 million web tool was created through a partnership between the California Department of Insurance, UC San Francisco, Consumers Union (the publisher of Consumer Reports) and others.  It allows comparison of quality scores of health care providers with the amount they charge for their services.

Visit the website by clicking the pic above, or going to www.cahealthcarecompare.org.

This information, particularly the quality scores, is sorely needed by California consumers and is an excellent step forward.  Where the project falls flat for many consumers, however, is that it does not allow consumers to compare the net cost charged to them between different health insurance plans.  Due in part to the Affordable Care Act, a lot of us are insured, and that number is growing. According to the LA Times, health insurance companies have worked to block the inclusion of their rates in a comparable tool.  Instead, we are left with statewide averages, which can mask wide variations between insurance plans.

So, for many of us, the comparison is incomplete.  We can discover the rated quality of a provider, and the average price of the service… but not actual cost to ourselves or our insurer, or what it would be under a different plan. (Our insurer’s cost becomes very important in liability claims, because they demand their portion back!).  Detailed cost estimates from insurers can be found by clicking a button on the new website.  But only health plan members with an active policy can access that information — ensuring that no cost comparison can be made before buying a policy.

We applaud the new “CA Health Care Compare” website as an important first step in health care value transparency.  And we urge the Department of Insurance, Consumers Union and California consumers to keep the heat on insurers to pull back their curtain on pricing, so that the site might reach its full potential.

0