Healthcare Data Breaches—Costs and Recent Evolution

As we all know, data breaches in the healthcare industry are a costly and evolving issue. The sophistication of threat actors and their ability to navigate IT systems using constantly changing tactics has made it difficult to predict and, in some cases, respond to a breach. The recent aggressive enforcement by the Federal Trade Commission (the “FTC”) of its Health Breach Notification Rule (the “HBNR”), as well as its proposed changes to the HBNR, have expanded the factors that health care companies must consider when analyzing and responding to potential breaches of health data.

Traditional Healthcare Data Breaches Are Continuing

As breaches involving healthcare systems continue at an aggressive pace, we urge our clients to evaluate the security of their networks. According to Emsisoft Malware Lab, in 2023, at least 25 healthcare providers operating 290 hospitals were impacted by ransomware. A 2023 security industry report published by the Ponemon Institute and IBM Security states that, for the 13th straight year, healthcare continues to be the industry with the most expensive data breaches. According to the report, the average cost of a healthcare data breach is $11 million (an eight percent increase from last year and a 53% increase since 2020). For comparison, the financial industry has the second highest average data breach, with an average cost of $6 million. 

Industry reports indicate that since the COVID-19 pandemic, several reasons exist for the growing trend of threat actors attacking health systems: (1) resignations and burnout have left the industry short staffed and slower to respond to cyberattacks; (2) the ability to work from home and use remote log-ins has created more entry points for attackers; and (3) COVID-19 surges and supply chain disruptions have diverted funds to more emergent needs than cyber security measures. Put simply—health systems are “data-rich” targets that may have weaker mitigation tools compared to certain other business sectors. Moreover, data breaches of healthcare systems are increasingly resulting in the entities facing class action lawsuits alleging negligence and other claims.

The FTC’s Expanding Definition of a Health Data Breach

Recent activity by the FTC has expanded the scope of what constitutes health data breaches. Last year, the FTC announced a notice of proposed rulemaking to amend the HBNR. Among other things, the proposed changes are aimed at clarifying what constitutes a breach that triggers the rule’s notification requirements. The HBNR applies to consumer technologies beyond HIPAA covered entities that handle health information, such as health apps and fitness trackers and monitors. In the event of a security breach involving unsecured personal health records, the HBNR requires certain notifications to consumers, the FTC and, in some cases, media outlets. The HBNR requires notification solely for breaches of unsecured health information, which is considered health information that is not secured through technologies or methodologies specified by the U.S. Department of Health and Human Services (“HHS”). The FTC’s proposed rulemaking followed a policy statement that it issued in September 2021, in which the FTC broadly construed a breach – suggesting, for example, that a health app’s disclosure of sensitive health information “without users’ authorization” constituted a “breach of security” under the HBNR. The FTC’s proposed rulemaking utilizes a similarly broad definition of breach of security.

The FTC recently has enforced the HBNR against companies that allegedly disclosed sensitive health information without authorization. For example, the FTC alleged that Easy Healthcare violated the HBNR by sharing sensitive health information of individuals using its period tracking app for advertising purposes. The developer agreed to pay a $100,000 civil penalty and was permanently barred from sharing users’ personal health data with third parties for advertising. In addition, GoodRx paid $1.5 million for alleged FTC Act and HBNR violations, including sharing sensitive personal health information with advertising companies and failing to report these unauthorized disclosures per the HBNR. Notably, under the FTC’s recent actions, data such as email and IP addresses alone arguably could be considered sensitive and require express affirmative consent in instances where disclosure of that information to a third party would implicitly disclose the consumer’s sensitive health information. Based on the FTC’s enforcement, companies should carefully consider whether information they collect links to sensitive health information and whether disclosure of that information requires affirmative consent to avoid being considered a breach of security under the HBNR.

From the traditional concept of a data breach in the healthcare industry to the recent evolution of what it means to be a data breach, health systems and non-HIPAA entities alike should take care when interacting with health information on all platforms. The continued rising costs of healthcare data breaches and recent proposed changes to and enforcement of the HBNR demonstrate the heightened importance of strengthening current security positions (as well as the devastating costs when such positions fail) and more closely monitoring the use and disclosure of health information to keep up with the evolution of digital health.

HHS Releases its Priorities for Promoting Data Protection in the Healthcare Industry

In December 2023, HHS released a list of priorities for improving cybersecurity in the healthcare industry entitled Healthcare Sector Cybersecurity, Introduction to the Strategy of the U.S. Department of Health and Human Services. The list includes some key areas for health care providers to monitor in 2024, including:

• Changes to the HIPAA Security Rule to include new cybersecurity requirements, anticipated for spring 2024;
• New cybersecurity requirements from the Centers for Medicare and Medicaid Services for hospitals enrolled in Medicare and Medicaid;
• Publication of voluntary cybersecurity performance goals for those in the healthcare industry (HHS anticipates that these goals will become industry-standard and may inform future regulatory action by the agency); and
• Potential financial support and incentives to implement both essential and enhanced cybersecurity practices.

HHS also noted that it intends to continue working with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations.

The attorneys in Honigman’s Health Care Practice Group are well versed in the privacy and security risks and obligations of our health care clients and the breaches that continue to plague the health care industry. For more information on how the above developments may apply to you and the potential implications of healthcare data breaches generally, please contact any member of the Honigman Health Care Practice Group.