During a session at the 2018 RIMS annual conference Kimarie Stratos, Executive VP/General Counsel, Memorial Healthcare System and Lynn Sessions, Partner, Baker & Hostetler LLP covered one organization’s journey from insider cyber incident through breach notification, class action lawsuit, regulatory investigation and settlement negotiations.
In 2011, an internal employee at Memorial Healthcare was accessing confidential information and using in it to gain social security numbers and other information. An internal investigation found more issues with fraud. There was an unrelated breach found by an internal audit. An employee was fired in one physicians office but they did not inform the HR department at Memorial Healthcare so they did not turn off that password. There was three breach reports between 2011 and April 2012. MHS employees reported the incidents in April 2012 and the affiliated physicians reported in July 2012. The FBI is involved and several states are getting involved as well. Some settlements have recently happened at the state level. Immediate action was taken by MHS. Three C-suite members were involved in daily meetings to dive in and figure out exactly how big the breech reached. Actions were taken daily to change processes and security to cut the breech immediately.
Voluntary Follow Up/Corrective Action
- hired countless consultants
- hired additional staff
- implemented enhanced administration, technical and physical safeguards
- heightened privacy and security functions
- new personnel and structure for privacy and security
- 10+ million spent
The OCR investigation
- Took 5 years
- 3 different investigators
- 6 rounds of requests
- Months and sometimes years between requests
- Types of requests
Finally heard back in October 2016, a conference call occurred with the investigator and Memorial Healthcare. Investigator felt strongly that the employee was able to repeatedly hit these records. Investigator then stated they would be demanding a 8.1 Million resolution. Final agreement was 5.5 million and to date this is the second highest in medical history.
- investigator was on maternity leave
- worked with deputy regional manager without HHS AGC
- opening settlement amount
- other resolution agreements
- protracted negotiations
- final negotiations covered entity, not counsel
Corrective Action Plan- 15 page document that Memorial Health needs to follow for the next three years.
- Approval of plan by OCR
- New policies and procedures
- Training of employees
- Technical enhancements
- Sliding timeline
To conclude the session, some key takeaways include where do you house CSO and CIO. They need a direct line to the CEO to make thing happen quickly. There is need to monitor and update policies. There is no need to have a policy if you are not going to follow it, as well as have a zero tolerance policy. Understand and know where your PHI is, businesses are constantly updating technology. Lastly, educate, educate and educate, make sure to keep it creative!