Delayed Data Breach Detection: Facing the ConsequencesYearslong Breach at Health Plan Administrator Leads to Lawsuit Settlement
Two health data breaches that each took about a decade to discover illustrate just how tough it can be to detect a security incident. One of those breaches has led to a recent lawsuit settlement.
Arlington, Virginia-based dental and vision health plan administrator Dominion National has agreed to pay $2 million to settle a federal class action lawsuit filed in the wake of a data security incident that affected nearly 3 million individuals and went undetected for nine years before being discovered in 2019.
Meanwhile, the Canton, Ohio-based healthcare organization Aultman Health Foundation last week began notifying 7,300 individuals affected by a breach involving an employee who inappropriately accessed patient records for nearly 12 years.
Under a settlement approved by a Virginia federal court on May 18, Dominion National has agreed to compensate class members up to $2 million for certain losses arising from its security incident and spend nearly $2.7 million to improve its security.
Class members can receive cash payments up to $100 for lost time spent responding to the security incident, cash payments up to $300 per person for ordinary losses tied to the incident and cash payments for extraordinary losses incurred responding to the security incident, up to $7,500 per person.
Dominion National revealed on June 21, 2019, that it had discovered the breach on April 24 of that year.
An investigation found that the organization's computer network system was the target of a cyberattack that began about Aug. 25, 2010, court documents note.
The compromised servers contained personal information pertaining to plan producers and participating healthcare providers. In its breach notification statement, Dominion National noted that the affected information may have included names, addresses, email addresses, dates of birth, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers and subscriber numbers.
Dominion National did not immediately respond to an Information Security Media Group request for comment on the settlement.
"When considering the defense of a lawsuit, the organization is likely to consider multiple factors, including the facts of the case," notes regulatory attorney Marti Arvin of the security and privacy consultancy CynergisTek, who was not involved in the case.
"Even if an organization has what it might consider a valid reason the compromise went undetected, it might consider that a 'bad fact' to try to explain. It also might consider it more economical to settle the case than to continue the cost of defending it even if there is a reasonable chance of an outcome in their favor."
In a recent notification statement, Aultman Health Foundation says that on April 26, it learned that an employee accessed patient information outside of the worker's "normal job duties" between September 2009 and April 2021.
"Upon discovering this, the employee’s access to our electronic health record system was suspended and an investigation was conducted to determine the nature and scope of the incident," the foundation says.
Further investigation determined that the employee accessed information for some patients that included names, addresses, dates of birth, Social Security numbers, insurance information and diagnosis and treatment information, Aultman says.
The worker has since been terminated and no longer has access to any Aultman patient information, the statement notes. Aultman says it has no indication that any information was misused or further disclosed.
A foundation spokesman tells ISMG that the former employee is not facing criminal charges.
"The employee had access to patient information as part of their job of coordinating care for our patients. … Our employees are trained to only access information related to their job. This employee went beyond that."
In the aftermath of the incident, Aultman has provided additional training to its system users and is implementing additional measures to protect the information of its patients, the spokesman says.
As of Thursday, the Aultman incident had not yet been posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Federal regulators do not look favorably on delayed health data breach detection and reporting.
For instance, last year, the HHS' Office for Civil Rights slapped health insurer Premera Blue Cross with a $6.85 million financial penalty, citing a nine-month delay in detecting the breach as a major consideration. The case stemmed from a 2014 hacking incident that exposed the information of 10.4 million individuals.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said Roger Severino, who was HHS OCR director at the time of the settlement with Premera.
In another case involving delayed breach detection, HHS OCR signed a $5.5 million settlement with Hollywood, Florida-based Memorial Healthcare System in 2017 for a breach that involved the use of login credentials of a former employee of an affiliated physician’s office to access the electronic health information on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.
"The fact and circumstances of the accesses and the method of discovery are what the regulators and courts are more likely to rely on regarding the egregiousness of a breach," Arvin of CynergisTek says.
"For example, if an employee is inappropriately accessing records in a way that should be easily detectable with reasonable security measures, that will be viewed differently than if the employee is doing something in a manner that seems consistent with their job duties and more difficult to detect - even with reasonable security measures."
Under HIPAA, covered entities most notify HHS of breaches affecting 500 or more individuals "without unreasonable delay and in no case later than 60 days following a breach."