Privacy and Data Protection – Healthcare

Overview

Healthcare providers and insurers as well as employee health plan administrators are all particularly vulnerable to data security incidents due to the highly sensitive patient information they maintain, including Social Security numbers, payment records, and confidential medical information. In addition, healthcare clients must deal with the extensive regulations impacting the healthcare industry, including HIPAA and HITECH. We regularly counsel hospitals, medical groups, insurers, and employers with regard to risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to data incidents, from lost files and laptops to the largest cyber incident involving medical information ever reported.

Select Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
More »

Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
  • Advocate Health and Hospitals, acting as lead counsel in defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 4 million patients, and winning motions to dismiss all of the lawsuits, which were with prejudice in all but one of the cases.
  • A Florida-based health system, assisting in a data security incident response and the subsequent regulatory investigations arising from an incident where employees accessed information for approximately 14,000 patients, allegedly to sell to chiropractors and lawyers, providing breach response, crisis management, and regulatory advice, and working with the FBI and law enforcement investigations.
  • A Florida-based health system, providing advice after it discovered that patient information for more than 100,000 people might have been improperly accessed by an employee through a Web portal, working with the health system on breach analysis, crisis management, investigation of the incident, and regulatory compliance.
  • A Texas healthcare provider, advising on a data security incident involving the loss of an unencrypted portable hard drive containing patient information, including medical and research information affecting approximately 4,000 individuals.
  • A North Carolina health system, providing data security incident response services after it learned thieves stole an unencrypted thumb drive containing roughly 11,000 patients’ names, medical record numbers, and physicians’ names.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Chambers USA: Healthcare
    • Florida (2018)
      • Band 4
    • Georgia (2015 to 2018)
      • Band 3
    • Ohio (2011 to 2018)
      • Band 3
    • Texas (2009 to 2018)
      • Band 3
    • Recognized Practitioner in Florida (2016, 2017)
    • Recognized Practitioner Nationwide (2017)
    • Recognized Practitioner Healthcare: Pharmaceutical/Medical Products Regulatory in District of Columbia (2018)
    • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

Publications

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Department of Justice Releases Attorney General's First Cyber-Digital Task Force Report
By John W. Busch
August 17, 2018
The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the...
Read More ->
Data Privacy Monitor
Not Too Early to Start to Prepare for New California Privacy Law
By Alan L. Friel, Niloufar Massachi
August 14, 2018
In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of...
Read More ->
Data Privacy Monitor
Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards
By Brian P. Bartish, Craig A. Hoffman
August 13, 2018
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity...
Read More ->
Data Privacy Monitor
Do You Need a Chief Digital Risk Officer (or Digital Risk Working Group)?
By Craig A. Hoffman
August 6, 2018
Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
By Aaron R. Lancaster
July 24, 2018
Federal Trade Commission Federal Trade Commission Asks for Ability to Fine Companies for Privacy Violations • Speaking before the U.S. House of Representatives’ Subcommittee on Digital Commerce and Consumer Protection, the commissioners of...
Read More ->