• Drug Coverage
  • Hypertrophic Cardiomyopathy (HCM)
  • Vaccines: 2023 Year in Review
  • Eyecare
  • Urothelial Carcinoma
  • Women's Health
  • Hemophilia
  • Heart Failure
  • Vaccines
  • Neonatal Care
  • Type II Inflammation
  • Substance Use Disorder
  • Gene Therapy
  • Lung Cancer
  • Spinal Muscular Atrophy
  • HIV
  • Post-Acute Care
  • Liver Disease
  • Pulmonary Arterial Hypertension
  • Safety & Recalls
  • Biologics
  • Asthma
  • Atrial Fibrillation
  • Type I Diabetes
  • RSV
  • COVID-19
  • Cardiovascular Diseases
  • Breast Cancer
  • Prescription Digital Therapeutics
  • Reproductive Health
  • The Improving Patient Access Podcast
  • Blood Cancer
  • Ulcerative Colitis
  • Respiratory Conditions
  • Multiple Sclerosis
  • Digital Health
  • Population Health
  • Sleep Disorders
  • Biosimilars
  • Plaque Psoriasis
  • Leukemia and Lymphoma
  • Oncology
  • Pediatrics
  • Urology
  • Obstetrics-Gynecology & Women's Health
  • Opioids
  • Solid Tumors
  • Autoimmune Diseases
  • Dermatology
  • Diabetes
  • Mental Health

Liable for a data breach?


Taking reasonable preventative care is a must as healthcare breaches grow in number.

The Anthem data breach has triggered over 90 lawsuits and scrutiny from numerous state insurance commissioners, law enforcement officials and the National Association of Insurance Commissioners. Other significant data breaches have occurred in the healthcare industry, and substantial litigation has ensued.

In the past, most data breach cases were settled or dismissed, because courts concluded that the plaintiffs’ injuries were too speculative to support a lawsuit, dismissing the cases either for failure to establish standing or to plead a legally compensable injury. However, a few courts in consumer class actions recently have concluded that the alleged injuries arising from a data breach are sufficiently certain to allow the cases to go forward, allowing plaintiffs to take discovery on how the breach occurred and what the defendant did or failed to do before the breach to prevent it. At the same time, regulators are increasing scrutiny of companies that suffer data breaches. Ultimately, the defendants in these cases and regulatory investigations will have to prove that they took reasonable steps to prevent the data breach before it occurred.


ving reasonableness

These developments point to the importance of a company conducting and documenting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity” (“Risk Assessment”) and determining and documenting the “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” (“Written Information Security Plan” or “WISP”). The Risk Assessment and WISP, if properly prepared, can be a company’s strongest evidence in defending against data breach claims.

Related:Anthem hack exposes up to 80 million records

Since the Risk Assessment and WISP may become evidence in a legal proceeding, it is important to obtain legal advice in preparing these documents, as well as technical advice from an IT security expert. All emails, expert reports and drafts prepared in the process of preparing a Risk Assessment and WISP can also become evidence in a legal proceeding, so care must be taken in preparing these preliminary materials as well. Retaining legal counsel to work with the technical expert to provide legal advice regarding the company’s legal obligations may protect the confidentiality of the preliminary documents under the attorney client privilege.

In addition, legal counsel can provide input regarding frameworks of potential security controls to consider in formulating a plan. Various organizations have published standards listing potential controls, and there are pros and cons from a legal perspective to selecting each set of standards as a starting point for the analysis. It is important to select industry standards that will have credibility in a court room but, at the same time, are practical. Also, legal counsel can provide input regarding what controls have been the focus of regulatory actions and class action settlements.

Legal counsel can also help structure the process to be consistent with applicable law. For example, IT experts should be asked to identify potential security controls to be discussed with the company. The company, after receiving input from the expert and legal counsel, is responsible for deciding which controls are reasonable from a cost/benefit standpoint. Those decisions should then be implemented and documented in the WISP.

Bottom line: Since a Risk Assessment and WISP and the preliminary documents leading up to them may become evidence in a legal proceeding, legal input is critical in making sure that this evidence will support the company’s position and not be used against it.


Robert Kriss is a partner in Mayer Brown’s Privacy & Security group in Chicago, Illinois. James R. Woods is co-leader of Mayer Brown’s global Insurance Industry Group based in New York, New York and Palo Alto, California.

This column is written for informational purposes only and should not be construed as legal advice.

Related Videos
Video 3 - "In-Office Procedures, Over-the-Counter Options, Treatment Delays, and Costs"
Video 6 - "Safety Analysis and Interpreting Results from MAJIC-PV"
Video 5 - "Key Findings from MAJIC-PV"
Video 2 - "Traditional Treatment of Demodex Blepharitis, FDA approval, and Lotilaner Ophthalmic Solution, 0.25%"
Gabriela Hobbs, MD, an expert on polycythemia vera
Gabriela Hobbs, MD, and Timothy Mok, PharmD, BCPS, BCOP
Video 1 - "Demodex Blepharitis: Prevalence, Symptoms, Quality of Life Impact, and Diagnosis"
Video 2 - "The Role of Ruxolitinib in Managing Hydroxyurea Resistance or Intolerance"
Video 1 - "Prevalence and Impact of Hydroxyurea Intolerance or Resistance in Polycythemia Vera"
Related Content
© 2024 MJH Life Sciences

All rights reserved.