CEO SUMMARY: Following news last month about the biggest breach of personal health information in the clinical lab industry, lawyers representing some of the affected patients filed at least 12 class action lawsuits. Federal officials and attorneys general in multiple states also launched investigations. The breach occurred when hackers gained access to the data systems of a bill-collector vendor used by the four lab companies. An attorney advised clinical labs to review how they and their vendors handle PHI.
DATA BREACHES AFFECTING TWENTY MILLION PATIENTS of four of the nation’s largest laboratory companies are classic examples of why healthcare providers need to monitor the work vendors do on their behalf.
In June, these clinical laboratory companies reported breaches of personal health information (PHI):
- BioReference Laboratories (a subsidiary of Opko Health),
- Laboratory Corporation of America,
- Quest Diagnostics, and
- Sunrise Laboratories (a division of Sonic Healthcare USA).
The laboratory companies had sent patients’ data to the American Medical Collection Agency (AMCA), a medical bill and debt collector in Elmsford, N.Y. These labs were among AMCA’s largest clients, according to published reports. Within days of the announcement of the breach, AMCA filed for protection under Chapter 11 of the U.S. Bankruptcy laws.(See “BRLI, LabCorp, Quest Disclose Data Breaches of 20M Patients,” TDR, June 10, 2019.)
In its filing with the U.S. Bankruptcy Court for the Southern District of New York, AMCA said its data were hacked over seven months from about Aug. 1, 2018, to March 30 of this year. The hackers stole patients’ records from the four lab clients, plus CareCentrix (a home care provider).
In June, attorneys general in at least six states—Connecticut, Illinois, Michigan, Minnesota, North Carolina, and New York—said they were investigating the breach.
Stolen Data Offered for Sale
Hackers collected patients’ names, Social Security numbers, addresses, dates of birth, and payment card information, all of which was later advertised for sale in underground web forums, according to reporting by Charlie Osborne of ZD Net.
To help lab managers and pathologists understand their lab’s responsibilities to safeguard patients’ PHI under federal and state laws, The Dark Report interviewed James Giszczak, an attorney and co-chair of the Data Privacy and Cybersecurity Group, at McDonald Hopkins.
“One important lesson from this data breach is how critical it is for clinical labs and pathology groups to be proactive in making sure they review their vendor agreements,” said Giszczak. “In that review, labs need to know the specific measures each vendor is taking to protect the information the lab is providing to their vendors.”
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, healthcare providers may be liable for damages when a vendor’s systems are breached.
“When a lab’s vendor has some type of breach, the lab entity that provided the compromised information could have some liability related to the breach, he explained. “That’s why every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach.
“Because your lab needs to know how a vendor will respond to a data security incident, and importantly, how quickly it will respond, it’s critical for lab officials to review the contracts they have with vendors that acquire, or have access to, PHI,” he added.
Delay in Notification
“One issue in the AMCA breach is that the incident started in 2018 and the lab companies weren’t notified until June of this year,” Giszczak said. “This delay, however, could be attributed to a thorough forensic investigation or even a law enforcement hold.”
The labs now face class-action lawsuits from patients who were not informed of the breach until recently. But, of course, the labs may have faced class-action lawsuits regardless of when they were informed of the breach.
“If a vendor has any type of data incident involving PHI, your lab needs to be notified quickly, efficiently, and appropriately—typically within 24 to 48 hours,” noted Giszczak. “Although a data incident is not necessarily a data breach, you want to be informed quickly so that you can conduct the appropriate and timely analysis to make that determination.
“That vendor may still be working to determine whether the incident was a breach and not an incursion,” he said. “But does your lab want the vendor to make that decision, or do you want to be involved in making that decision? Ideally, you want to understand the facts of what’s going on and make your own decision.
Vendor Compliance
“Two other important steps include, ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information,” he recommended. “To do that, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor.
“By being prepared, labs can save themselves many headaches,” Giszczak noted. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.
“Over the years, hackers have become more sophisticated and their attacks have become harder to detect,” he added. “In addition, even when an organization detects an intrusion into its systems, there may be reasons that could prevent the vendor from notifying the public or its business partners.
“Take the example of a law enforcement investigation,” he said. “The investigators may order your lab’s vendor not to disclose anything until law enforcement gathers the appropriate evidence or information it needs.
“Other times, a vendor may be unaware that the attack happened. Or the vendor may be aware that an attack happened, but may not be sure if any data was accessed,” stated Giszczak. “Thus, while it may appear on its face that there was a delay in the vendor notifying your lab, there may be legitimate reasons for a delay.”
State laws are another factor that every clinical lab and pathology group must consider. “Some state legislatures have passed laws expanding what constitutes personally identifiable information,” he commented. “In those states, when a lab has a data incident, officials will consider more types of information as personally identifiable information that require heightened protection and may also require notification to individuals and regulators if it is compromised.
“Some states are saying, for example, that information such as usernames and passwords are covered under data-protection laws,” Giszczak said. “Such laws increase the regulatory burden on all companies, including labs.”
In May, for example, New Jersey Gov. Phil Murphy signed a bill into law to expand the definition of personal information if a breach involves a username or password, he said.
New Jersey’s Law
“Previously, New Jersey had defined personal information to include an individual’s first and last name, along with any of the following data elements: Social Security number; driver’s license number or state identification number; or account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account,” Giszczak wrote in an alert to McDonald Hopkins clients.
Quest Diagnostics is based in New Jersey and Sunrise Medical Laboratories has a patient service center in New Jersey, and so could be affected if this law were in effect before the breach. The law will not be effective until Sept. 1, added Giszczak.
“This updated New Jersey law amends the definition of personal information to include an individual’s user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account,” Giszczak said.
“Other states have either passed or are considering similar laws,” he added. “So, it is important for lab companies that operate in multiple states or that have vendors operating in other states to be aware of these laws.”
AfterDataBreach, Firm Filed Bankruptcy Action
FOLLOWING THE DISCLOSURE that hackers had stolen the personal health information of 20 million patients from a bill-collector vendor for four lab companies, the vendor filed a bankruptcy action.
In a petition filed June 17 in the U.S. Bankruptcy Court for the Southern District of New York, the parent company of American Medical Collection Agency (AMCA) sought relief under Chapter 11 of the Bankruptcy Code. Russell H. Fuchs, founder and CEO of AMCA’s parent company, Retrieval-Masters Creditors Bureau, said AMCA learned of the breach in March.
AMCA’s petition said it received a series of notices from credit card companies suggesting “that a disproportionate number of credit cards that at some point had interacted with the debtor’s web portal were later associated with fraudulent charges.” Such notices could indicate that hackers had tried to use stolen credit card and customer data. At that point, AMCA shut down its patient payment portal, said AMCA.
“Almost immediately upon learning of the breach, LabCorp unqualifiedly and indefinitely terminated its relationship with the debtor [AMCA],” the petition said. “Soon after, Quest Diagnostics, Conduent Inc., and CareCentrix Inc. which together with LabCorp were the debtor’s four largest clients, stopped sending new work to the debtor, and all terminated or substantially curtailed their business relationships with the debtor.”
Contact James Giszczak at 248-220-1354 or jgiszczak@mcdonaldhopkins.com.
