Privacy and Data Protection – Healthcare

Overview

Healthcare providers and insurers as well as employee health plan administrators are all particularly vulnerable to data security incidents due to the highly sensitive patient information they maintain, including Social Security numbers, payment records, and confidential medical information. In addition, healthcare clients must deal with the extensive regulations impacting the healthcare industry, including HIPAA and HITECH. We regularly counsel hospitals, medical groups, insurers, and employers with regard to risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to data incidents, from lost files and laptops to the largest cyber incident involving medical information ever reported.

Select Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
More »

Experience

  • Excellus BlueCross, acting as incident response counsel.
  • Premera Blue Cross, acting as incident response and regulatory and class action defense counsel with regard to one of the largest incidents involving medical information ever reported.
  • Community Health Systems, defending multiple class actions arising from the largest HIPAA breach up to that date by hackers known as APT 18 who used the computer bug Heartbleed to access VPN log-in credentials, impacting more than 6 million patients through the loss of Social Security numbers, names, addresses, and phone numbers and defending the state’s attorney general regulatory investigations.
  • Eisenhower Medical Center, serving as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, denial of review of the decision by the California Supreme Court and remand to the trial court, where it was ultimately dismissed voluntarily by the plaintiffs, with no payment by our client.
  • Advocate Health and Hospitals, acting as lead counsel in defending 12 class actions in Illinois state and federal courts arising out of the theft of computers alleged to have contained patient information for more than 4 million patients, and winning motions to dismiss all of the lawsuits, which were with prejudice in all but one of the cases.
  • A Florida-based health system, assisting in a data security incident response and the subsequent regulatory investigations arising from an incident where employees accessed information for approximately 14,000 patients, allegedly to sell to chiropractors and lawyers, providing breach response, crisis management, and regulatory advice, and working with the FBI and law enforcement investigations.
  • A Florida-based health system, providing advice after it discovered that patient information for more than 100,000 people might have been improperly accessed by an employee through a Web portal, working with the health system on breach analysis, crisis management, investigation of the incident, and regulatory compliance.
  • A Texas healthcare provider, advising on a data security incident involving the loss of an unencrypted portable hard drive containing patient information, including medical and research information affecting approximately 4,000 individuals.
  • A North Carolina health system, providing data security incident response services after it learned thieves stole an unencrypted thumb drive containing roughly 11,000 patients’ names, medical record numbers, and physicians’ names.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security - Healthcare Spotlight Table (2018)
  • Chambers USA: Healthcare
    • Florida (2018)
      • Band 4
    • Georgia (2015 to 2018)
      • Band 3
    • Ohio (2011 to 2018)
      • Band 3
    • Texas (2009 to 2018)
      • Band 3
    • Recognized Practitioner in Florida (2016, 2017)
    • Recognized Practitioner Nationwide (2017)
    • Recognized Practitioner Healthcare: Pharmaceutical/Medical Products Regulatory in District of Columbia (2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2019 BTI Client Service 30 for the fifth consecutive year.

Publications

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
CCPA Amendments Signed into Law by California Governor
By Kyle R. Fath
October 14, 2019
On Friday, October 11, 2019, California’s governor signed into law each of the six CCPA amendment bills passed by the legislature, bringing some finality and clarity to the scope of the CCPA (at least with respect to details which will not...
Read More ->
Data Privacy Monitor
CCPA Regs: "This is the meat on the bones…."
By Alan L. Friel
October 10, 2019
“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one...
Read More ->
Data Privacy Monitor
California Bill SB-208 Tackles Pervasive Robocalls
By Kamran Salour
September 27, 2019
On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from...
Read More ->
Data Privacy Monitor
If Signed by Governor, California Bill AB-602 Will Provide Private Right of Action for Victims of Sexually Explicit ‘Deepfakes'
By Kamran Salour
September 26, 2019
AB-602, passed by the California State Senate on September 12, 2019, will, if approved by the governor, create a private right of action against persons who create or disclose another’s sexually explicit content through use of “deepfake”...
Read More ->
Data Privacy Monitor
Summer Is Over – It's CCPA and NV Crunch Time
By Alan L. Friel
September 9, 2019
It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that...
Read More ->