Privacy and Data Protection – Healthcare

Overview

Healthcare providers and insurers as well as employee health plan administrators are all particularly vulnerable to data security incidents due to the highly sensitive patient information they maintain, including Social Security numbers, payment records, and confidential medical information. In addition, healthcare clients must deal with the extensive regulations impacting the healthcare industry, including HIPAA and HITECH. We regularly counsel hospitals, medical groups, insurers, and employers with regard to risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to data incidents, from lost files and laptops to the largest cyber incident involving medical information ever reported.

Select Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
More »

Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
  • Advocate Health and Hospitals, acting as lead counsel in defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 4 million patients, and winning motions to dismiss all of the lawsuits, which were with prejudice in all but one of the cases.
  • A Florida-based health system, assisting in a data security incident response and the subsequent regulatory investigations arising from an incident where employees accessed information for approximately 14,000 patients, allegedly to sell to chiropractors and lawyers, providing breach response, crisis management, and regulatory advice, and working with the FBI and law enforcement investigations.
  • A Florida-based health system, providing advice after it discovered that patient information for more than 100,000 people might have been improperly accessed by an employee through a Web portal, working with the health system on breach analysis, crisis management, investigation of the incident, and regulatory compliance.
  • A Texas healthcare provider, advising on a data security incident involving the loss of an unencrypted portable hard drive containing patient information, including medical and research information affecting approximately 4,000 individuals.
  • A North Carolina health system, providing data security incident response services after it learned thieves stole an unencrypted thumb drive containing roughly 11,000 patients’ names, medical record numbers, and physicians’ names.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Chambers USA: Healthcare
    • Florida (2018)
      • Band 4
    • Georgia (2015 to 2018)
      • Band 3
    • Ohio (2011 to 2018)
      • Band 3
    • Texas (2009 to 2018)
      • Band 3
    • Recognized Practitioner in Florida (2016, 2017)
    • Recognized Practitioner Nationwide (2017)
    • Recognized Practitioner Healthcare: Pharmaceutical/Medical Products Regulatory in District of Columbia (2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2019 BTI Client Service 30 for the fifth consecutive year.

Publications

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
FTC Announces Enforcement Action, Warning Letters for Companies Falsely Claiming Privacy Shield Participation
June 21, 2019
The Federal Trade Commission (FTC) recently announced a compliance sweep of companies claiming to be in compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield Frameworks. The U.S.-EU Privacy Shield and the U.S.-Swiss...
Read More ->
Data Privacy Monitor
Texas Moves Forward With Updates to Breach Notification Law and Institutes Privacy Council to Study Data Privacy Legislation
By Caroline B. Brackeen, William R. Daugherty
June 10, 2019
Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers...
Read More ->
Data Privacy Monitor
Attempt to Expand CCPA Private Right of Action Fails, While Bills Exempting Employee Data and Otherwise Refining CCPA Advance
By Taylor A. Bloom, Alan L. Friel, Niloufar Massachi
June 5, 2019
Over the past several weeks, the California State Assembly has voted in favor of advancing to the California Senate bills that would narrow the reach of the California Consumer Privacy Act (CCPA). Senate bills did not fare as well and have...
Read More ->
Data Privacy Monitor
Nevada Adds "Do Not Sell" Requirement to Privacy Law
By Alan L. Friel, Shea M. Leitch
June 5, 2019
Last week, Nevada Governor Steve Sisolak signed new privacy legislation into law in Nevada. Senate Bill 220 (SB-220) updates Nevada Revised State 603A to provide consumers a new right to opt out of the sale of their data. Effective Oct. 1...
Read More ->
Data Privacy Monitor
Ad and Publishing Industries Confront CCPA Challenges While Congress Considers Privacy
By Alan L. Friel
May 29, 2019
The California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, will require more privacy transparency and choice for consumers than they have ever had under U.S. law, but its approach to providing consumers with the right to opt out...
Read More ->