By Jack Anderson
November 8, 2013
Here we see yet another example of a large fine and even larger costs due to non-compliance with the HIPAA Omniuse Rule. Encryption costs thousands and the lack of encryption cost Avmed $3 million dollars plus the added costs of compliance and negative publicity. Even cheaper than encryption is the cost of maintaining a comprehensive privacy and security program. What is interesting about this case is that the $3 million is for settlement of a class action suit which heretofor was thought to be impossible with a HIPAA violation. Now it seems that an organization can get hit with the class action suit on top of penalties. Spend that penny of compliance and save the millions.
Data security: pay it now or pay out later, Squire Sanders, Lindsay Holmes and Thomas E. Zeno
The price of compliance may be high, but the price of non-compliance is even higher. Based on its recent $3 million data breach settlement, AvMed, and many other entities that have experienced data breach litigation, would likely agree that paying for security upgrades now, is far superior to paying for data breaches later.
In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Last week, AvMed signed a settlement agreement to end the class action litigation that began in 2010. The settlement essentially requires AvMed to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades and updates to security policies and procedures (all of which are set out in HIPAA regulations).
Not only does AvMed have to correct its non-compliance, but it must also forfeit the “unjust enrichment” it has received over the years by not spending sufficiently for data security it should have provided. AvMed will reimburse “premium overpayments” of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.
The AvMed settlement proves the need to implement data security measures now that will protect your company, patients and customers in the future. Although data losses are likely inevitable, breaches can be prevented by implementing data security measures already suggested or required by regulations for most healthcare entities. In AvMed’s case, encryption would have rendered the stolen information unreadable and no breach would have occurred.
In the wake of HIPAA, HITECH and state data privacy/security laws, it’s not surprising that companies are feeling the financial pinch of upgrading data security systems to ensure that they do not fall victim to hackers, thieves, and even unintentional errors resulting in lost protected health information.
Although most are working towards compliance, others have reasoned that the time and the money necessary to implement data security measures are not worth it. AvMed would likely disagree.
Data breaches in the healthcare sector are extremely costly. A simple theft can lead to a long list of costs including civil monetary penalties to Health and Human Services, criminal penalties to the Department of Justice, and loss of business through negative press. Plaintiffs’ litigation now adds another layer to the potential financial outlay.