BakerHostetler
Client Login Alumni Login
| Subscribe | Print | Client Login
Open search/close search button Open menu/close menu button
Services
Professionals
About Us
Offices
News/Resources
Diversity
Careers
Alumni

Privacy and Data Protection – Healthcare

Overview

Healthcare providers and insurers as well as employee health plan administrators are all particularly vulnerable to data security incidents due to the highly sensitive patient information they maintain, including Social Security numbers, payment records, and confidential medical information. In addition, healthcare clients must deal with the extensive regulations impacting the healthcare industry, including HIPAA and HITECH. We regularly counsel hospitals, medical groups, insurers, and employers with regard to risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to data incidents, from lost files and laptops to the largest cyber incident involving medical information ever reported.

Select Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
More »

Professionals

Name Title Office Email
Susan Whittaker Hughes
Cleveland
+1.216.861.7841
Partner
Susan Whittaker Hughes
Partner Cleveland
Theodore J. Kobus III
New York
+1.212.271.1504
Partner
Theodore J. Kobus III
Partner New York
Lynn Sessions
Houston
+1.713.646.1352
Partner
Lynn Sessions
Partner Houston

Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
  • Advocate Health and Hospitals, acting as lead counsel in defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 4 million patients, and winning motions to dismiss all of the lawsuits, which were with prejudice in all but one of the cases.
  • A Florida-based health system, assisting in a data security incident response and the subsequent regulatory investigations arising from an incident where employees accessed information for approximately 14,000 patients, allegedly to sell to chiropractors and lawyers, providing breach response, crisis management, and regulatory advice, and working with the FBI and law enforcement investigations.
  • A Florida-based health system, providing advice after it discovered that patient information for more than 100,000 people might have been improperly accessed by an employee through a Web portal, working with the health system on breach analysis, crisis management, investigation of the incident, and regulatory compliance.
  • A Texas healthcare provider, advising on a data security incident involving the loss of an unencrypted portable hard drive containing patient information, including medical and research information affecting approximately 4,000 individuals.
  • A North Carolina health system, providing data security incident response services after it learned thieves stole an unencrypted thumb drive containing roughly 11,000 patients’ names, medical record numbers, and physicians’ names.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Chambers USA: Healthcare
    • Florida (2018)
      • Band 4
    • Georgia (2015 to 2018)
      • Band 3
    • Ohio (2011 to 2018)
      • Band 3
    • Texas (2009 to 2018)
      • Band 3
    • Recognized Practitioner in Florida (2016, 2017)
    • Recognized Practitioner Nationwide (2017)
    • Recognized Practitioner Healthcare: Pharmaceutical/Medical Products Regulatory in District of Columbia (2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2019 BTI Client Service 30 for the fifth consecutive year.

News

News

Press Releases

Publications

Related Services

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation
By Paulette M. Thomas
February 19, 2019
Recently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which had affirmed...
Read More ->
Data Privacy Monitor
Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices
By Kathryn Carey, Aleksandra Vold
February 18, 2019
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series...
Read More ->
Data Privacy Monitor
Best Cybersecurity Practices for Healthcare Organizations – Ransomware Prevention
By Kathryn Carey, Aleksandra Vold
February 8, 2019
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series...
Read More ->
Data Privacy Monitor
Insurance Data Security Model Law Picks Up Steam
By Andreas T. Kaltsounis, Shea M. Leitch
February 6, 2019
Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of...
Read More ->
Data Privacy Monitor
What Can We Learn From the Healthcare Data Breach ‘Wall of Shame'?
By Eric A. Packel
February 4, 2019
In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to...
Read More ->

Services

Find Professionals

Offices

About Us

Careers

Firm Diversity

LinkedIn Twitter Facebook Instagram Youtube RSS
Subscribe »
© 2019 Baker & Hostetler LLP