The MIE Breach: Business Associates and Data Security Risks

Posted by Mark Greisiger

A Q&A with J.T. Malatesta of Maynard Cooper & Gale
Medical Informatics Engineering and subsidiary NoMoreClipboard revealed a breach last month affecting up to 3.9 million Americans which has now resulted in a series of class action lawsuits on behalf of victims. The incident is causing headaches for risk managers in the healthcare sector, including their cyber liability insurers. This event underscores how a catastrophic breach for one dominant service provider (in this case, Medical Informatics Engineering, the software company that provides the NoMoreClipboard service) can create a domino effect that impacts multiple organizations. Many insurers are also rightfully concerned about aggregated risk, since they could have multiple insureds and claims stemming from a single event such as this one. I spoke with J.T. Malatesta, chair of the cybersecurity practice of Maynard Cooper & Gale, about the implications of this event and how organizations can better prepare for vendor breaches.

This data breach seems to have put everyone from the C-Suite to risk management to insurance companies on edge. Why?
It underscores the risk that vendors present to their clients. Obviously, your data footprint goes beyond the bricks and mortar of your company but this breach shows us how important it is to conduct proper vendor management and to appreciate and then mitigate the risk those vendors introduce to your organization. The dynamic in this case that’s interesting, and arguably outside the norm, is that the covered entity has not been sued—the liability seems to lie with the vendor. So the CEOs of the covered entities (and their insurers) must be breathing a collective sigh of relief to know they are not entangled in the litigation.

What risk-mitigating steps should an organization using this vendor take/have taken?
Generally, any data breach should prompt an examination of the entire lifecycle of a relationship you have with a breached vendor. When counseling clients on their vendor relationships, I am interested to see their risk assessments of that vendor relationship to determine what type of risk is introduced and what volume of information is at stake. It really translates into due diligence, contractual allocation of the cyber risk, followed by a robust examination of the policies, practices and procedures put in place to contain this type of risk, which of course must include a hard look at the corrective measures taken to address any breaches sustained in the past. Again, what is interesting in this case is that the contractual language seems to have shifted the obligation to notify customers to the business associate. I can definitely appreciate the business justification for wanting to do that, but I would caution covered entities that delegate the notice obligation to maintain oversight over the process to make sure it is done correctly since, at the end of the day, the HIPAA breach notification rule makes it the covered entity’s responsibility to provide appropriate notice to impacted individuals.

MIE learned of the breach on May 26, 2015. Notice letters went out to affected people on June 2 and to direct patients on July 17. If you’re a healthcare provider, what can you do to ensure you and your patients get notified of a third party vendor breach without delay?
While the class action charges that this wasn’t timely notice, I would disagree, given that the company had to get its arms around a large population of impacted individuals. In the case of a HIPAA breach, you have 60 days from the date you discover the breach to notify affected individuals. However, to be safe, shorter notification time periods are not uncommon when negotiating a contractual arrangement with a vendor. Further, state data breach notification laws have their own notification requirements and timetables that likely are implicated by the breach. Another thing to consider: An event may not rise to the level of “breach” as the term is defined under HIPAA, but you may still want to supply notice. If you want more visibility into vendor security, you might want to include a clause in the contract about notification of any and all security events.

What other claims distinguish this class action suit from past cases?
The class actions against MIE include a “breach of implied contract.” This contractual theory is especially interesting here when you consider that the individuals whose information has been compromised have no contractual agreement in place with the business associate so it remains to be seen whether this theory will hold up. The traditional tort claim of negligence is probably the one with the most legs but who knows what will stick.

What happens to a healthcare provider when their vendor’s lax security leads to a breach and involvement from the state Attorney General?
This is not a scenario in which you want to find yourself. My expectation is that the AG will focus on the business associate, and perhaps also on the providers’ oversight of the vendor. Too often once the contract is signed it’s out of sight out of mind, but in the eyes of the regulators, there is an expectation that there will be ongoing scrutiny and management of the relationship.

If the vendor in a case such as this cannot financially sustain the losses from a class action suit, where does that leave all the healthcare providers?
This is really the first case like this so it remains to be seen. If they have a cyber liability policy it may or may not provide coverage (and arguably, given the modest size of the service provider and sheer number of healthcare organizations using their service that have been impacted by this event, it is doubtful any coverage they had would be sufficient to deal with an event of this magnitude). It certainly incentivizes the plaintiffs’ counsel to bring in additional named defendants.

Any other thoughts or takeaways for our readers?
As a covered entity or provider you should revisit your vendor contracts and make sure you address the risk of data breaches. A traditional indemnification provision or a limitation of liability provision that is capped at the amount that has been paid within the prior 12-month period is no longer an adequate contractual remedy. This breach reinforces the importance of contractually allocating the cyber risk that accompanies doing business in today’s digital marketplace. It takes thought and consideration before you sign on the dotted line.
For the most part defendants have been historically successful fighting breach cases, but the recent Neiman Marcus decision gives credence to the theory that fear of future injury is sufficient to provide damages. That decision could change the dynamics of all of these cases going forward.

In Summary…
We want to thank Mr. Malatesta for his insights into cyber risk issues surrounding this case-study event, especially the growing importance of managing your service provider/cloud contracts and anticipating this type of a crisis event. A third party vendor breach can be devastating to any businesses affected. One need only read this blog by a consumer directly affected by this breach to see the hardship it caused and how their direct relationship with healthcare providers was impacted. According to the Medical Identity Fraud Alliance (MIFA)’s Fifth Annual Study on Medical Identity Theft, 45 percent of respondents said medical identity theft affected their reputation, largely due to the embarrassing disclosure of personal health conditions. Nineteen percent said the theft caused them to miss out on career opportunities. Only 10 percent of respondents said they ever achieved a completely satisfactory conclusion of the incident. For the covered entity, cyber incidents can be extremely disruptive and disorienting, especially with multiple organizations involved. Keep in mind there are high-tech tools (see) that allows you to prioritize and facilitate incident preparedness with resources such as suggested third party vendor management contract language guidance.

—###—

NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.