DHHS fine for HIPAA Computer Security Violations held arbitrary and capricious

In University of Texas M.D. Anderson Cancer Center v. US Dept of Health and Human Services, No. 19-60226 (5th Cir. 1/14/2021) the Fifth Circuit held that the DHHS’ fine for violating the HIPAA Security Rule was “arbitrary, capricious, and contrary to law.” To say that the government lost this case is an understatement – the government’s arguments were roundly rejected in broad language – so much so that the government is going to regret ever having brought this case . . .

In brief, University of Texas M.D. Anderson Cancer Center (UT) had three computer security lapses in the early 2010 period – one laptop and two thumb drives, each that stored electronic Protected Health Information (ePHI), were not encrypted, and were lost or stolen. The DHHS originally fined them over 4 million dollars for violating rules that in most cases require ePHI to be encrypted, and that prohibit disclosure of ePHI to unauthorized persons. UT’s administrative efforts on appeal were unsuccessful, but when they petitioned to have the case reviewed by the court, the DHHS admitted that the maximum fine they could impose was $450,000. UT however objected to even that fine on 2 grounds, that a state instrumentality is not a person under the HIPAA enforcement provisions, and that the fine was arbitrary and capricious under the Administrative Procedures Act. The court did not address the first argument and assumed UT was a person subject to HIPAA enforcement.

Under the HIPAA Security Rule, “a HIPAA-covered entity must “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv)” (emphasis by court). UT had done so – it had policies that required portable and mobile devices to be encrypted, it provided employees certain technology (dongles) to encrypt these devices, and it trained them how to do so. DHHS argued that the mere fact that 3 devices were not encrypted meant that UT had violated the rule. The court disagreed:

[T]he Government argues that the stolen laptop and the two lost USB drives were not encrypted at all. That appears undisputed. But that does not mean M.D. Anderson failed to implement “a mechanism” to encrypt ePHI. It means only that three employees failed to abide by the encryption mechanism, or that M.D. Anderson did not enforce that mechanism rigorously enough. And nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.

UT v. DHHS, at p. 7 (slip)

The court goes on to provide numerous examples of scenarios where unauthorized disclosure of unencrypted ePHI would likely not violate the regulation, primarily because the regulation is not written to make data loss a strict liability.

The same result was found under the Disclosure Rule. That rule in general prohibits a Covered Entity from “disclosing” PHI except as permitted by the rule. The Disclosure Rule defines “disclosure” to “mean[] the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103. The administrative law judge held that the loss of data on unencrypted devices was a “release” however the court disagreed and stated “That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “anyloss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything.It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”

Finally, the court was particularly upset that the DHHS took the position that it “can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others.” UT had argued that in other similar cases either no fine was imposed, or fines much smaller than the fine imposed on UT were imposed. It also argued that DHHS refused to consider factors expressly stated in its own regulations (none of which the DHHS could prove – for example, that any individual suffered financial harm)

This case is an incredible loss by the DHHS. It will need to completely overhaul its entire regulatory enforcement structure, most likely it will need to re-write regulations, and it will need to train its ALJs better about how to handle administrative law appeals in light of arguments made by the petitioners. Finally, the case is incredibly helpful for Covered Entities and Business Associates in their efforts to avoid civil money penalties for small and inadvertent infractions (as long as they otherwise meet data security requirements).

Importantly, all entities that store and process PHI should be careful in drafting their Business Associate Agreements and related agreements to distinguish between regulatory violations (which under this case are not strict liability in many scenarios), and contractual liability. Many Business Associate Agreements are written as if *any* “loss” of PHI outside of the entity is a breach. Business Associates should be careful in reviewing these agreements so as to not undertake greater liability than that imposed under the regulations.

For more information contact Mike Oliver

Misconfigured Server costs firm £80,000

Question: How do cost your company £80,000 with one relatively small computer error?

(Short) Answer: You misconfigure an FTP (file transfer protocol) server . . . and forget and leave it running.

This was the lesson Life at Parliament View Limited recently learned when the Information Commissioner’s Office (https://ico.org.uk) fined it £80,000 for violating the 7th principle of the Data Protection Act 1998 (“DPA”). See https://ico.org.uk/media/action-weve-taken/mpns/2615396/mpn-life-at-parliament-view-limited-20190717.pdf. ICO could have fined it £500,000 (the maximum under that act) – but chose to only implement 16% of the maximum fine.

What happened? Life at Parliament needed to mass transfer personal data – though not particularly sensitive data (note1) – to a data processor, and chose to use an FTP server. They intended to use a feature of this server to require a username and password, but the technicians misunderstood the server documentation from Microsoft, and ended up putting the server in Anonymous Authentication mode. In addition, “The FTP server was further misconfigured in that whilst approved data transfers were encrypted, personal data transmitted to non-approved parties was not. As such, transfers of personal data over FTP to non- approved parties had the potential to be compromised or intercepted in transit.” (Though not explained in the opinion, this was likely a fallback setting that allowed the server to transmit over a non encrypted channel if the receiving party did not have a secure channel available). The server was left in this condition for just shy of 2 years. Computer logs showed over 500,000 anonymous data requests. Eventually a hacker (well, really a person with ordinary computer skill who located the open FTP server) who had obtained the data, began extorting Life at Parliament.

While the failure of basic computer security is plain in this case, it is noteworthy that ICO also found the following violations:

  1. Post configuration of the server, LVPL failed to monitor access logs, conduct penetration testing or implement any system to alert LPVL of downloads from the FTP server, which would have facilitated early detection and containment of the breach;
  2. Failure to provide staff with adequate and timely training, policies or guidance either in relation to setting up the FTP server, or information handling and security generally.

ICO has been very active in the general data protection space and issuing fines, and this decision – while an easy one in light of the poor computer security practices – is telling because ICO found secondary violations in post implementation failures to detect and train.

The same tendency is happening in the US – the FTC and State Attorney Generals are increasing their oversight of data protection, and several states (e.g. California’s CCPA) are enacting new data protection and data oversight requirements. While the FTC has had some wins (see a recent order against a car dealer, no fine but consent order, where unencrypted data was exposed for 10 days – https://www.ftc.gov/news-events/press-releases/2019/06/auto-dealer-software-provider-settles-ftc-data-security), and at least one major set back in its efforts against LabMD (http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf), it is likely that the government regulators will start going after companies that have engaged in less egregious data security violations, but nevertheless have lax training or monitoring set up, and probably also pursue smaller businesses who may not have the resources to have a robust security system and training.

For more information on our data security and privacy practice contact Mike Oliver.


(note 1): The data consisted of “The types of personal data potentially compromised included names, phone numbers, e-mail addresses, postal addresses (current and previous), dates of birth, income/salary, employer details (position, company, salary, payroll number start date, employer address & contact details), accountant’s details (name, email address & phone number). It also contained images of passports, bank statements, tax details, utility bills and driving licences of both tenants and landlords.”

The 3 critical privacy issues most companies face on May 25, 2018

Many companies have exactly 1 year to get their privacy house in order.  On May 25, 2018 the European Union’s General Data Protection Regulation (found here in its entirety, the reg itself without precursors is here: GDPR regulation only) goes into effect.  It brings tremendous changes to the previous data protection rules, but in this short post I discuss what I consider to be the “Big 3” issues that the new rule presents, and why even though US privacy law is almost non existent (in the general consumer privacy context), these EU rules will become more and more important even for smaller companies operating solely in the US, due to globalization of data exchange.  Ok, the Big 3:

  1. Huge fines for small errors.  The GDPR allows for fines of up to the greater of 20,000,000 Euros, or 4% of annual global turnover.  And, there is every indication that the privacy regulators will be very harsh in doling out these fines, even for fairly innocuous errors.  That has certainly been the trend in the U.S. for sensitive data like protected health information.
  2. Information included within the rule is almost everything.   The regulation (Article 4, Section (1)) defines “personal data” to mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”  It is clear this definition encompasses far more information than just “identifying” information – for example, an “online identifier” is just about any technology that tracks a user.
  3. Extra-territorial scope.  The regulation (Article 3) extends the reach of the GDPR well beyond the borders of the EU.  First, it states that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”  So, any data processed by a controller or processor who is located in the EU is subject to this rule, even if the data subject is not a EU resident.  Next, it states “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”  So, regardless of the location of a business, if the business offers goods or services, whether paid or unpaid, the GDPR applies.  Finally, “[t]his Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”  The US has not yet adopted public international law that accedes to this rule, but other countries may do so.  Operating in those countries would impose the rule on the controller or processor.

There are many other significant issues raised by the GDPR.  For example, in the EU one of the 6 core principles is data subject control and access.  Article 12, Section 3 states “.The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.”  A company must ask itself – can it do that?  And not if just one data subject asked, but if (thousands? hundreds of thousands?).  Clearly, any “big data” holder will not be able to meet this standard using humans – they will need an automated system to be able to meet the standards.  And see my 1st big issue above – failure to meet this requirement is going to result in a fine for sure.  The questions will be how big, and that will likely depend on what effort went into at least trying to meet this standard.  Another example:  the GDPR is crystal clear that consent to use personal data cannot be obtained through an ambiguous “privacy policy” or buried in terms of service.  The opt in requirement must be plain, unambiguous and intelligible to the data subject.  So, disclosures of how a company tracks a data subject in a privacy policy are not sufficient consent.

There is a separate issue about whether the EU could enforce the GDPR against a US based entity in the EU, or whether it would have to try and come to the US and file such claim; and there is also a separate question of whether a US court would enforce a foreign law against a US based business without an enabling treaty or other enabling statute.  However, a company that operates solely in the US would probably have to play ball with the EU authorities if they ever wanted to be able to actually do direct business in the EU.  Most large companies have already made that decision.  Smaller companies that are wholly located in the US will have to consider whether they would want to take the risk of GDPR enforcement, and whether they want to ever expand direct services into the EU.

One year seems like a long time, but the GDPR has been known for some time (it was adopted in 2016), and now the time is short and companies that might be subject to it really need to be well on their way of making an assessment of what data they are collecting, how they are using it, what efforts they have made to obtain consent to that use, and how they will meet the 6 principles in a timely fashion.

For more information, contact Mike Oliver.

California law changes the right of certain users to delete online posts, prohibits certain marketing starting in 2015

Beginning in 2015, any website or mobile service that is directed to minors under the age of 18 and allows them to post content, will have to delete that content on request of the minor user.  SB 568 provides in part that a site directed to minors must “(1) Permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application to remove or, if the operator prefers, to request and obtain removal of, content or information posted on the operator’s Internet Web site, online service, online application, or mobile application by the user. (2) Provide notice to a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application that the minor may remove or, if the operator prefers, request and obtain removal of, content or information posted on the operator’s Internet Web site, online service, online application, or mobile application by the registered user. (3) Provide clear instructions to a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application on how the user may remove or, if the operator prefers, request and obtain the removal of content or information posted on the operator’s Internet Web site, online service, online application, or mobile application. (4) Provide notice to a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application that the removal described under paragraph (1) does not ensure complete or comprehensive removal of the content or information posted on the operator’s Internet Web site, online service, online application, or mobile application by the registered user”

Some exemptions to this requirement apply (such as data that must be retained for law enforcement, data that is posted by a third party about the minor, and data that is anonymized).  It is not clear (to this writer) that the law would apply after a minor reaches his or her 18th birthday.  In other words – it is not clear a minor who does not make the request before their 18th birthday could make the deletion request after their 18th birthday.

That law also prevents a site “directed to minors” from presenting any content or advertising in the following enumerated categories:

(1) Alcoholic beverages
(2) Firearms or handguns
(3) Ammunition or reloaded ammunition
(4) Handgun safety certificates
(5) Aerosol container of paint that is capable of defacing property
(6) Etching cream that is capable of defacing property
(7) Any tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance
(8) BB device
(9) Dangerous fireworks
(10) Tanning in an ultraviolet tanning device
(11) Dietary supplement products containing ephedrine group alkaloids
(12) Tickets or shares in a lottery game
(13) Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A
(14) Body branding
(15) Permanent tattoo
(16) Drug paraphernalia
(17) Electronic cigarette
(18) Obscene matter
(19) A “less lethal weapon”
A site is directed to minors if “[the] Internet Web site, online service, online application, or mobile application, or a portion thereof, [] is created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults.”
This rule also reaches “advertising services” if the website/mobile operator advises the advertising service that the site is “directed to minors.”  Advertisers therefore will need to obtain certification from their customers that the site they are servicing is not directed to minors, or, they will need to add the above filters for such sites.
The California law appears to be the first law that has used the age of 18 in regulating website/platform content; prior to this, under the FTC COPPA act, the applicable age was “less than 13.”
Sites and services that are “directed to minors” will need to begin technologically addressing the issues raised by SB 568 in 2014, to be ready in 2015.
For more information, contact Mike Oliver