Corporate Counsel: Health Care GCs Should Brace for Major Data Breaches

Originally Published in Corporate Counsel | January 12, 2016 | By Sue Reisinger

The health care industry suffered its largest data breaches ever in 2015, and should be getting ready for more large-scale attacks in 2016, according to cybersecurity attorney Mary Grob of McGuireWoods.

In a post to McGuireWoods’ cybersecurity blog, Grob reports that 255 breaches occurred in 2015, according to figures from the Department of Health and Human Services Office for Civil Rights, which tracks health care breaches. That was down from 287 breaches the year before.

“However, what makes 2015 unique is not the frequency of the health care data breaches but their size,” Grob writes. “[A] staggering 112 million records were impacted.”

The blog continues, “Each of 2015’s largest three breaches eclipsed the size of any health care data breach that occurred in either 2013 or 2014 by at least 5 million affected records.”

The figures support a recent survey of health care general counsel by the Consero Group, which found that cybersecurity was their top risk. Two-thirds of those surveyed said they didn’t believe their emergency preparedness plans covered their exposure adequately.

Paul Mandell, Consero’s founder and CEO, called it “alarming” that 40 percent of the GCs indicated their systems were not prepared for cyberbreaches.

Health care records present an especially attractive target for cybercriminals because they contain so much personal information, including Social Security numbers, according to IGPC, a group that presents seminars of cybersecurity. “The challenge for IT and security professionals working in health care is that they must improve data protection without impeding health care professionals’ speedy access to potentially lifesaving patient information,” often in large and complex hospital environments, the group says.

Grob, an associate in McGuireWoods’ Charlotte, North Carolina, office, warns that the industry needs to be prepared for more attacks in 2016 as well as for changes in the way the government approaches breaches.

That’s because Congress added health care cybersecurity measures to the Consolidated Appropriations Act, 2016, passed in mid-December.

The provisions require the Department of Health and Human Services to take a number of steps, including identifying who is coordinating efforts in the department regarding data protection, and creating a cybersecurity task force.

Among other things the task force, made up of industry members, cyberexperts and federal agencies, is to analyze cyberchallenges, establish a plan for sharing information, and report its findings and recommendations.