HEALTHCARE DATA BREACHES IN SOUTH DAKOTA: POST-BREACH LEGISLATION IS NOT ENOUGH.

Date22 September 2020
AuthorMabee, Michael J.
  1. INTRODUCTION

    In July 2015, Siouxland Anesthesiology, Ltd., suffered a data breach of 13,000 patient records due to a "hacking/IT incident" later determined to be a criminal malware attack.' The company reported that hackers infiltrated their company computer servers, acquiring patients' electronic Protected Health Information ("cPHI"). (2) The information included patients' names, addresses, dates of birth, and in some cases, Social Security numbers. (3)

    Unfortunately, healthcare data breaches of ePHI in South Dakota are not uncommon. In July 2017, Plastic Surgery Associates of South Dakota suffered a data breach of 10,229 patient healthcare records. (4) In April 2019, Rapid City Regional Health System suffered a data breach of 696 patient healthcare records. (5) In October 2019, Sioux Falls VA Health Care System suffered a data breach of 564 patient healthcare records. (6) In total, 36,204 patient records have been reported breached in South Dakota since 2013. (7)

    Other states and industries are not fairing any better. (8) In 2015, three major insurance companies, Anthem, Inc., Excellus, and Premera suffered data breaches, that affected approximately 100 million records. (9) According to a 2016 report, the U.S. Department of Health and Human Services' ("HHS") Office for Civil Rights ("OCR") has "investigated and resolved over 23,873 cases" since 2003. (10) Other industries have seen catastrophic breaches as well, such as the Equifax breach of about 143 million consumers' data." Information may have included names, Social Security numbers, birthdates, addresses, and Driver's License numbers. (12) According to former South Dakota Attorney General Marty Jackley, this included 200,000 South Dakota residents. (13) To say that these data breaches are only a few of the reported data breaches would be an understatement. (14)

    In light of these trends, it is even more concerning that experts believe and surveys reveal that the actual number of breaches across all sectors is underreportcd, even if the entity is legally required to report the incidents. (15) South Dakota's own data breach notification law, discussed below, contains several notification exceptions. (16) For example, companies do not have to provide notice to individuals if, in the course of conducting an appropriate investigation and providing notice to the attorney general, they determine that the breach will not likely result in harm to the affected person. (17) Another exception allows companies to be in compliance with the law's notification requirements as long as they meet the HIPAA breach disclosure requirements. (18) HIPAA, however, does not require breach notification if the data that was accessed or taken is not stored electronically or if the data was encrypted, theoretically rendering it unreadable or unusable. (19)

    Fortunately, according to the HHS OCR's portal for reporting HIPAA data breaches, there has not been a state-run health care facility data breach in South Dakota. (20) However, in light of the recent trends in frequency of data breaches, their costs, and other states' preventive laws, South Dakota should strengthen its own data security laws as they apply to both governmental and private entities. This comment will highlight current trends in data breaches in healthcare and other industries. (21) This comment will also provide a brief overview of the definitional differences of data security, data privacy, and cyber security. (22) The comment will investigate the current statutory legal framework protecting consumers' healthcare data privacy security in South Dakota. (23) This includes an overview of federal legislation such as HIPAA and its subsequent amendments. (24) This also includes discussing South Dakota's state laws and regulations surrounding data security and addressing what SB 62 brings to the field of data breaches and security. (25) Part IV will explore recent state statutory trends in data security and privacy legislation, with a comparative focus on Nebraska's state laws. (26) Finally, this comment will argue that South Dakota should adopt its own data security statute in order to remain aligned with current trends, nationally and internationally. (27)

  2. BACKGROUND

    1. CURRENT DATA BREACH CAUSES AND IMPACTS

      Studies have found different results regarding the most prevalent causes of data breaches. In 2016, one study categorized data breaches as negligent breaches or malicious breaches. (28) A "malicious" breach is one where attackers actively target personal information, whereas a "negligent" breach occurs when private information is exposed accidentally. (29) The study mined each of these categories further, and ultimately determined that negligent breaches occurred nearly twice as often as malicious breaches. (30) A separate 2019 report, conducted by the Ponemon Institute and sponsored by IBM Security, reported that the number of malicious or criminal data breaches across all industries surveyed is on the rise, accounting for 51% of all data breaches occurring today. (31) Of the remaining breaches, 25% were due to a system glitch and 24% occurred due to human error. (32)

      Despite federal health information privacy and security legislation, discussed below, (33) of the seventeen industries surveyed by IBM, the health industry ranks in the middle of the pack for security automation. (34) Security automation refers to an organization's automatic, non-human security interventions that respond to a breach. (35) These interventions include: artificial intelligence, machine learning, analytics, and automated incident response orchestration. (36) Additionally, the health sector had the worst Mean Time to Identify ("MTTI") the breach and was tied for the worst Mean Time to Contain ("MTTC") the breach. (37) Regardless of the type of breach or how quickly companies respond after one, there is inadequate data security in the first place.

    2. DATA BREACH COSTS TO ORGANIZATIONS AND INDIVIDUALS

      To no one's surprise, recent studies report that the costs of data breaches are high, no matter which way they are broken down. (38) One study found that the average cost of a data breach in the United States was $8.19 million. (39) Of the industries surveyed, the healthcare industry had the highest average cost of a data breach at $6.45 million, or $429 per breached record. (40) In the wake of a breach, lost business accounted for the greatest percentage of costs. (41) This is primarily due to abnormal customer turnover, something the healthcare industry is especially susceptible to. (42) One study categorized cyberattack costs into fourteen factors. (43) Of these, half were considered "above the surface" or more visible to the public, while the remaining impacts were harder to quantify. (44) Companies spend an exorbitant amount of money investigating breaches through professional IT and cybersecurity professionals, identifying and mitigating the loss of information, paying ransomware fees, shoring up security through new software or hardware, or developing patches for the network, notifying individuals, consumer agencies, and the government of the breach, retraining staff, and addressing the media. (45) Companies suffer intangible losses as well, including loss of professional reputation, productivity, and intellectual property. (46)

      Data breaches do not just impact organizations, they also impact individuals, directly and indirectly. (47) After a Medicaid data breach in Utah, a follow up study determined that after each incident of fraud, consumers would lose more than $3,300, twenty hours away from work to fix the problem, and $770 in attorney's fees. (48) Another study found that patients whose PHI data was breached are at risk for financial or medical identity theft, along with the risk of long-term economic and health harms. (49) Individuals who work for breached companies suffer intangible losses such as low morale and decreased productivity, and victims suffer fear of privacy invasion. (50) Other commentators have argued that the damage to individuals is two-fold. (51) The first injury occurs when a company loses the individual's information, due to either negligence or a malicious breach. (52) The second injury occurs when the company passes on its costs of post-breach actions onto their consumers--individuals who already suffered loss of their private information--resulting in higher fees, premiums, or other costs. (53)

      Consequently, not only are individuals not returning to these providers in some cases, (54) but some studies have found that some United States adults are so concerned about their PHI being breached that they actually withheld information from their healthcare professional. (55) The Federal Trade Commission's ("FTC") own "exploring privacy" roundtable discussions in 2009 and 2010 highlighted that despite consumers generally lacking a full understanding of the nature and extent of data collection and use, they are concerned about their privacy. (56) Finally, McAfee, a leader in the security software world, found in an investigation that large amounts of medical data are being sold on the dark web. (57)

      To make matters worse, some studies have found that after one breach, an entity's risk of another breach is high. (58) The probability of suffering from a future breach has increased from 22.6% in 2014 to 29.6% in 2019. (59) According to the Chief Information Security Officers and Chief Privacy Officers surveyed in the IBM study, the probability of a data breach occurring in the next two years grew as the number of breached records decreased. (60) Therefore, South Dakota businesses may be at a higher risk of data breaches than our neighboring, more-populated states.

    3. RESPONDING TO DATA BREACHES

      In response to companies being underprepared for data breaches and gaps in regulation, private actors such as insurance companies have stepped up with cyber insurance policies. (61) While cyber insurance is...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT