With the loss of laptops, smart phones, tablets, and USB drives being among the top sources of privacy breaches, healthcare providers should be aware of a recent federal court ruling that drove a $3 million privacy settlement.
The federal appellate court ruling against AVmed — a medical insurance company — allowed claims involving negligence and breach of contract in the class-action lawsuit to proceed even though the class plaintiffs suffered no direct financial loss. This appears to be the first time a federal appeals court has recognized privacy claims without proof of an actual loss from a breach.
Media reports indicate that in addition to the $3 million figure, AV med agreed to pay actual damages to any identity theft losses victims sustained as a result of the breach. The settlement also reportedly requires AV med to implement new password protocols, install disk encryption, and place GPS tracking on his laptops. The case raises the stakes for HIPAA covered entities and business associates and potentially sets the standard for security criteria courts may impose in the future.
The potential for civil liability for the mere occurrence of a breach now joins the risks of data breaches on top of the existing potential for fines, notification and remediation expenses, credit monitoring expenses, forensic costs, actual ID theft damages, and devastating public relations impact.
While already prudent considerations for protecting PHI, covered entities and business associate should consider prompt implementation of:
- “strong” passwords for systems, portable media and devices of at least 12 characters
- encryption of all systems, portable media, and devices
- GPS tracking of portable devices
- Remote “wipe” capabilities for smart phones and portable devices
- Policies to limit PHI permitted on portable devices and media