Privacy and Data Protection – Healthcare

Overview

Healthcare providers and insurers as well as employee health plan administrators are all particularly vulnerable to data security incidents due to the highly sensitive patient information they maintain, including Social Security numbers, payment records, and confidential medical information. In addition, healthcare clients must deal with the extensive regulations impacting the healthcare industry, including HIPAA and HITECH. We regularly counsel hospitals, medical groups, insurers, and employers with regard to risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to data incidents, from lost files and laptops to the largest cyber incident involving medical information ever reported.

Select Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
More »

Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
  • Advocate Health and Hospitals, acting as lead counsel in defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 4 million patients, and winning motions to dismiss all of the lawsuits, which were with prejudice in all but one of the cases.
  • A Florida-based health system, assisting in a data security incident response and the subsequent regulatory investigations arising from an incident where employees accessed information for approximately 14,000 patients, allegedly to sell to chiropractors and lawyers, providing breach response, crisis management, and regulatory advice, and working with the FBI and law enforcement investigations.
  • A Florida-based health system, providing advice after it discovered that patient information for more than 100,000 people might have been improperly accessed by an employee through a Web portal, working with the health system on breach analysis, crisis management, investigation of the incident, and regulatory compliance.
  • A Texas healthcare provider, advising on a data security incident involving the loss of an unencrypted portable hard drive containing patient information, including medical and research information affecting approximately 4,000 individuals.
  • A North Carolina health system, providing data security incident response services after it learned thieves stole an unencrypted thumb drive containing roughly 11,000 patients’ names, medical record numbers, and physicians’ names.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Chambers USA: Healthcare
    • Florida (2018)
      • Band 4
    • Georgia (2015 to 2018)
      • Band 3
    • Ohio (2011 to 2018)
      • Band 3
    • Texas (2009 to 2018)
      • Band 3
    • Recognized Practitioner in Florida (2016, 2017)
    • Recognized Practitioner Nationwide (2017)
    • Recognized Practitioner Healthcare: Pharmaceutical/Medical Products Regulatory in District of Columbia (2018)
    • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

Publications

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
GDPR Spurring Legal Reforms in South America With New Legislation in Brazil
By Brian P. Bartish, Laura E. Jehl
October 30, 2018
As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s...
Read More ->
Data Privacy Monitor
EU-U.S. Privacy Shield Framework Joint Annual Review 2.0
By David M. Brown
October 30, 2018
As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
October 25, 2018
Class Actions Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit • Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs...
Read More ->
Data Privacy Monitor
FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents
By Paulette M. Thomas
October 18, 2018
Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing...
Read More ->
Data Privacy Monitor
Broker-Dealer and Investment Adviser Agrees to Settle SEC Enforcement Action Arising From a Data Security Incident
By John W. Busch, William R. Daugherty
October 18, 2018
The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in...
Read More ->