As if it were not bad enough that hackers are attacking retail businesses like Target and Neiman Marcus to obtain consumer credit card information, it turns out that the bad guys are also targeting health-care records. According to sources cited in a February 18, 2014 Wall Street Journal report entitled “Nursing Homes Are Exposed to Hacker Attacks” (here), investigators have uncovered a Internet file-sharing site where hackers have posted critical health-care organization network systems information that could allow others to access electronic medical records and payment information from health-care providers.
According to sources cited in the Journal article, the networks of about 375 U.S-based health related institutions, including hospitals, physicians’ offices, pharmaceutical companies, and health-plan managers were compromised by hackers in September and October 2013. Some of the information accessed by these intrusions has wound up on a file-sharing site, where hackers dump data. The information on the site details the type of equipment used in computer networks, the internal addresses for computers and other devices, and the passwords to network firewalls run by health-care providers.
Information available on the file-sharing cite drawn from three specific nursing homes identified in the article apparently was obtained by access to the software of a specific medical software vendor that the three institutions used. The article also states that health-care organizations increasingly are having trouble protecting data because medical equipment such as dialysis and imaging machines can be accessed through the Internet. (The machines are attached to the Internet so that the machines’ software can be administered or updated remotely.) There are, the article notes, an increasing number of entry points hackers can use to access health-care facilities to try to access electronic medical records or billing systems containing credit card information.
The incentives for the hackers’ are significant. According to the article, medical records sell for about $60 each on the black market, while credit-card information typically goes for about $20. For that reason, “the bad guys in the cyberuniverse definitely have set their sights on health-care records,” according to one commentator quoted in the article. However, according to a report cited in the article, security practices at health-care providers generally are not keeping pace with the high volume of attacks.
The findings in the article have a number of important implications for health-care providers and their service providers, particularly the importance of assessing network security vulnerabilities and addressing concerns. However, as the sequence of events following the disclosure of the Target breach shows, another concern for these companies is their potential litigation exposure. Target has been hit with a wave of consumer class actions following news of the breach in its systems, as were other retailers whose networks were recently hacked. The hackers’ focus on health-care records underscores that fact that health-care organizations may face the same litigation exposures as the retailers. This exposure is not limited just to hospitals and other patient care facilities (such as nursing homes and diagnostic testing centers), but also includes health care service and equipment providers, including potentially even software firms and medical equipment manufacturers.
These litigation risk exposures, as well as the need for companies hit with a breach to try to deal with notification requirements and remediation issues, highlight the need for companies in these industries to ensure that their insurance program includes a robust program of privacy liability and network security insurance. Nor are these concerns limited just to firms in these health-care related industries – there is not a day that goes by that there is not a report of another company experiencing a breach. Today, it was Kickstarter, the Internet funding portal (about which refer here). Tomorrow it will be another company in another industry.
The point is that we have long since reached the point where privacy liability and network security insurance is an indispensable part of every organization’s insurance program.
It is also important to keep in mind that the litigation exposure associated with a network security breach is not limited to just the possibility of consumer actions. As was evidenced in connection with the Target breach, a significant network security breach can also lead to D&O lawsuits as well (as discussed here). I suspect that we will find in the months ahead that these kinds of lawsuits may become increasingly common. As I have noted previously, among the risks of D&O litigation arising from the possibility of a cyber breach includes the prospect of shareholder litigation arising from disclosures regarding the company’s privacy and network security practices.
We are already to the point where companies need to take these litigation possibilities into account when considering such basic issues as how much D&O insurance to purchase.
What “Transactional” Skills Should Lawyers in Training Be Taught?: The American Bar Association and a number of other bar groups are exploring the possibility of establishing minimum requirements within accredited law schools related to building practical skills and competencies. The issue these initiatives present is the question of what topics constitute “skills and competencies,” particularly for transactional attorneys.
To address this issue, the Berkeley Center for Law, Business and the Economy at Boalt Hall Law School, UC Berkeley, has developed an on-line survey to try to establish what competencies professional s in transactional practices consider important. The survey’s authors hope the survey results will help both practitioners and legal educators assess and if appropriate work to amend the current proposed guidelines. Though the survey is directed to practicing attorneys, it is also open to others who work with transactional attorneys (such as bankers, accountants, etc.).
The survey’s authors hoping to get as broad of a response as possible. The authors are asking everyone to complete the survey and to ask colleagues and contacts to complete the survey as well. The survey can be found here. When the survey is complete, the results will be available on the Center’s website, here.
Can You Please Do That Somewhere Else?: I frequently think newspaper editors don’t read their own headlines. The latest example of this appeared in the February 18, 2014 issue of USA Today, which carried an article headed “Monster Asteroid Whizzes by Earth.”