Bradford P. Meisel and Diane D. Reynolds

Recent years and months have witnessed a catastrophic increase in cyberattacks and data breaches. According to a 2019 report by cybersecurity firm 4iQ, data breach incidents increased by 424% between 2017 and 2018. 

The healthcare sector has become a primary target of cyberattacks and data breaches and cybersecurity research firm Protenus found that 285 healthcare data breaches affecting over 31 million patient records occurred between January and June of 2019, according to Jessica Davis of Healthcare IT News. Such incidents include ransomware attacks, in which malware prevents a healthcare provider from accessing its computer system unless it pays a hacker a requested amount of cryptocurrency, and data breaches in which hackers obtain patients’ personally identifiable information. 

Many such incidents have disrupted and compromised patient care. In November of 2019, more than 100 nursing homes across the United States were affected by a ransomware attack on Milwaukee-based virtual care provider, which offers data storage and Internet security services to healthcare facilities according to a Haley Samsel of Security Today. Hackensack Meridian Health, New Jersey’s largest healthcare system which operates 17 hospitals statewide, paid hackers an undisclosed amount after a December 2019 ransomware attack disabled computer networks for two days and delayed procedures, according to Jessica Kim Cohen of Modern Healthcare. In April of 2017, a similar attack shut down the entire computer system of Buffalo-based Erie County Medical Center and its long-term care facility, according to Henry Davis of the Buffalo News.   

Moreover, the number of deaths that occur in long-term care facilities make such facilities desirable targets for cyber criminals. In 2020, an estimated 40% of all United States deaths will occur in long-term care facilities, according to a 2010 study by Alexander K. Smith and Anne Kelly of the University of California San Francisco. 

            Hackers have begun to obtain and use the personal information of recently deceased individuals in a practice known as “ghosting.” According to the American Association of Retired Persons (AARP), identity thieves annually use the identities of over 700,000 deceased Americans to “open credit card accounts” or obtain services, and since it can take up to six months for the Social Security Administration, financial institutions and credit reporting agencies to process death records, and grieving family members are unlikely to check their recently deceased loved ones’ credit, ghosting can often go undetected for weeks or even months.

            In 2018, cybersecurity researchers observed hackers on the dark web selling large collections of recently deceased patients’ medical records potentially obtained during cyberattacks on healthcare providers that contain names, Social Security numbers, phone numbers, addresses, dates of birth and insurance information.

            Therefore, long-term care facilities that possess personally identifying and identifiable information about recently deceased patients can be inviting targets for hackers seeking to sell vast collections of data for use in large-scale Ghosting schemes. 

The legal implications

Healthcare providers, including long-term care facilities, can face serious consequences in the event of a data breach or cyberattack if they are found to have violated the U.S. Department of Health and Human Services (HHS) regulations promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulations, namely the so-called “Security Rule,” require healthcare providers to use reasonable security measures to protect against threats and hazards to and unauthorized disclosure and access to protected health information and notify patients when their protected health information is breached.  Fines for violations of such HIPAA violations can total up to $1.5 M per entity per violation. 

Although HIPAA regulations preempt state data privacy and security and data breach notification statutes and regulations that conflict with HIPAA regulations, it is possible that long term care facilities could, in certain instances, be subject to state data privacy and security and data breach notification statutes and regulations more stringent than HIPAA that do not directly conflict with HIPAA. 

The solution

The first step long-term care facilities should take in protecting themselves  against cybersecurity incidents and data breaches is to retain an interdisciplinary team of professionals headed by a law firm with experience in healthcare law including HIPAA compliance that retains and supervises technology experts and professionals in order to evaluate their cybersecurity risks, develop and institute incident prevention measures and best practices, and ensure compliance with HIPAA and any other applicable federal, state, and international data security and breach notification laws.

Such an interdisciplinary team can develop and implement practical incident prevention and compliance strategies that fit the specific needs, budgets and risks faced by each long-term care facility. Such strategies may include strategically allocating financial resources for cybersecurity upgrades to software and hardware, methodically evaluating and selecting secure devices and software, developing employee monitoring and acceptable use policies and procedures, and documenting and demonstrating compliance with all applicable laws and regulations.   

The second step is to purchase cybersecurity insurance to cover liability in the event of a data breach as well as business interruption and remediation costs incurred as a result of such an incident.  

An interdisciplinary team headed by a law firm is the ideal partner for small businesses seeking to assess and upgrade their cybersecurity since it allows for a reduction in overall costs by sharing the expertise of an established team of experts including attorneys well-versed in HIPAA compliance and other aspects of state and federal healthcare regulation, shielding the process through attorney-client privilege that can limit discovery in the event of litigation or administrative proceedings and allow for one-stop shopping in which long term care facilities can have the benefit of a single team capable of providing technical services and advice as well as legal advice the legal implications of employee monitoring and discipline related to technology misuse, and navigating the legal and public relations impact of cybersecurity incidents.   

Diane D. Reynolds, Esq. is a partner at McElroy, Deutsch, Mulvaney & Carpenter, LLP who heads the firm’s Cybersecurity, Data Protection, and Privacy practice and has an extensive background in the representation of private and publicly held entities in mergers and acquisitions, corporate finance, compliance, corporate governance and strategic growth initiatives. She has also served as general counsel to technology, financial services and consumer products companies, and possesses a unique depth of experience in privacy/data security combined with strong technology experience, due to her lengthy involvement in the technology sector.

Bradford P. Meisel, Esq. is an associate at McElroy, Deutsch, Mulvaney & Carpenter, LLP, specializing in corporate transactions, cybersecurity and data privacy, who previously served as a Senate Judiciary Committee law fellow to U.S. Senator Sheldon Whitehouse (D-RI) and cybersecurity and technology law clerk to U.S. Senator Gary Peters (D-MI).