Rethinking Healthcare Data Breach Litigation

• Publication year: 2018
• Author: By Jay Edelson and Aaron Lawson

RETHINKING HEALTHCARE DATA BREACH LITIGATION

By Jay Edelson and Aaron Lawson¹

I. INTRODUCTION

In the wake of the Equifax data breach, the risk to consumer data is something that not only individuals are facing, but also companies dealing in that commodity. Maciej Ceglowski, a web developer and Silicon Valley-based entrepreneur, likens collections of personal data to radioactive waste: "easy to generate, easy to store in the short term, incredibly toxic, and almost impossible to dispose of."² Bruce Schneier analogizes data to a "toxic asset."³ Ceglowski and Schneier both advocate for companies to limit the data they collect and store, if for no other reason than for companies to limit their own exposure to the fallout from data breaches, hacks, and other leaks of personal information.

Most firms, however, treat consumer data not as toxic but as beneficial: data generates value, and effort should be put into figuring out how best to wring profits from collected personal data.⁴ On some level, most consumers are aware of this. Thus, the maxim "if the product is free, that means you're the product."⁵

But whether a company treats consumer data as a beneficial asset to be used or a toxic asset to be disposed of quickly, it frequently ignores the perspective of the party most affected by the nigh, ubiquitous collection of personal data: the consumer. Consumers must hand over their data to transact just about any kind of business, and this data, when aggregated can paint a remarkably revealing and intimate portrait of a given individual.⁶ Consumers have an obvious interest in the security of this data, despite their choice to surrender it in a given transaction. Not only does the decision to disclose information in one circumstance not constitute blanket permission to use this data in any way the acquiring firm might want, but "the power of compilations to affect personal privacy that outstrips the combined power of the bits of information contained within."⁷

[Page 105]

Moreover, most assessments of the costs and benefits associated with collecting and storing consumer data ignore a key, and growing, piece of the puzzle: ransomware. Data breaches can lead to bad press, customer turnover, or regulatory action; but in many cases the most immediate cost in any data breach will be the price paid for the return of access to a given system. Since most firms pass costs onto the consumer at the end of the day, this means that consumers might pay double for a firm's lax data security: once because their sensitive data has been compromised, and once because they bear a share of the ransom paid.

Both firms and courts have given insufficient attention to the consumer's interest in data privacy and security. These interests are paramount in the healthcare space. Privacy interests in healthcare-related data are both more complicated and more intuitively grasped, as demonstrated by the fact the healthcare privacy is subject to one of the most comprehensive privacy schemes.

Moreover, for institutions in the healthcare sector, heeding the suggestions of Ceglowski and Schneier—to collect as little data as possible and dispose of it as quickly as possible—is simply not feasible. Hospitals, for instance, cannot function without vast stores of information about their patients. If a doctor doesn't know what other medicines a patient is taking, she runs the risk of prescribing a lethal cocktail of medications. Likewise, a doctor that is unaware of a patient's medical history might misdiagnose a condition, accidentally delaying life-saving treatment. Hospitals must also store payment information, information on a patient's insurance, and information on family members. In short, hospitals possess a trove of incredibly sensitive information about scores of individuals.

The past few years have seen a number of data breaches in the healthcare space, notably Anthem and Premera. These should be a call to arms. Significant players in the healthcare space, however, have not responded to these incidents with the urgency that, we believe, the situation requires. They are instead content to cast themselves as unwitting victims, even when best practices dictate more proactive measures. The failure to act appears to rest on a misperception of the consumer's interest in data security. Ultimately, this failure of perception requires legislators and the courts to intervene before it is too late.

It is time we re-think how we assess data security and data breaches. Regulatory action, whether judicial or legislative, shouldn't focus on the aftermath of a breach; it should focus on preventing them in the first place.

II. HEALTHCARE FIRMS ARE UNDERVALUING DATA SECURITY

We contend that actors in the healthcare space undervalue data security, so let's begin by examining how they do value data security. One widely read study on the costs of a data breach is published annually by the Ponemon Institute. According to the Ponemon Institute, the cost of a data breach in 2016 was $221 per breached record.⁸ According to the Ponemon study, the largest drivers of this cost are: (1) customer turnover in the wake of a breach, (2) investigating the size of the breach, and (3) defending against resulting lawsuits.⁹ (These costs are greater in the healthcare space.¹⁰)

[Page 106]

The Ponemon study also identifies several ways in which firms can mitigate, reduce, or eliminate these costs: having a response team dedicated to data security, extensive use of encryption, training employees in proper data handling, among others.¹¹ In other words, data breaches and their attendant costs can be prevented by investing in data security. The Ponemon study thus strongly suggests that the interests of firms are aligned with the interests of consumers, and that both should want to invest in data security.

So what are firms doing? If an investigation by Ars Technica is any indication, the answer is "not much." In 2016, a series of hospitals fell prey to data breaches. According to Ars Technica, in each case the same network vulnerability was an issue.¹² An AP report on one such attack noted that the vulnerability had been known since 2007, and could have been fixed with a simple patch.¹³ The vulnerability stems from the decision to use a version of an application server that has been deemed "end of life," meaning basically, obsolete.

If, as the Ponemon study suggests, both company and consumer incentives are aligned in favor of greater data security, then the persistent decision of healthcare systems not to update their networks, and thus leave them vulnerable even to unsophisticated hackers, is irrational. The problem, of course, is that healthcare firms don't see taking steps to bolster data security and prevent data breaches as financially beneficial. This appears to result from market inefficiency. For publicly traded companies, investors neither know nor care about a company's data security or vulnerability to a data breach.¹⁴ And, of course, consumers (not to mention employees, whose data also is vulnerable) rarely have access to this information, and lack the means to agitate for change.

The Ponemon study also reveals a fatal blind spot in how companies value data security; the study never once includes ransom as a cost of a data breach. But a number of recent data breaches were also ransomwareattacks.¹⁵ In a ransomware attack, not only are a company's files breached, but the intruder holds the files "hostage," denying access to them until a ransom is paid.¹⁶

[Page 107]

This blind spot may well be because most ransom demands to date have been essentially nominal. Many early ransom demands asked for 1 Bitcoin, a cryptocurrency whose value has never exceeded $5,000. More recent demands have been closer to $80,000. Still, for a large healthcare organization, that sum is a drop in the bucket. Ransomware attacks can generate a lot of press, but if the cost does not sting, then the press coverage itself won't move the needle.

But ransomware attacks need to be seen as a new entrepreneurial front in the broader hacking economy. A normal entrepreneurial cycle begins with proof of concept. Early investments are small—a product is introduced in one market or one store, just to see if it catches on. If it does, a second round of investment spurs further development or production, and then further investment is sought as needed until supply and demand reach equilibrium. At the same time, new firms, seeking to capitalize on whatever innovation has captured the market's imagination, enter and offer their own version of the product.

Many of these same concepts are regularly applied to hacking, and apply easily to ransomware.¹⁷ As it relates to hacking, hackers often locate vulnerabilities and then release "proof of concept" source code.¹⁸ When this is done by "white hat" hackers, the idea is to fix the vulnerability before it becomes widely exploited. When done by "black hat" hackers, of course, the motives are far less pure.¹⁹

A similar framework applies easily to ransomware. Early hackers may ask only for a small ransom. The sum will grow larger as hackers try to determine what firms are willing to pay to regain access to their computer systems. Once the price reaches a certain level newer actors enter the fray. For instance, the government of North Korea has entered the ransomware game: it famously held up a bitcoin news website using a strain of malware that was previously used to cripple Britain's National Health Service.²⁰

Ransomware-related costs, which are attributable to lax data security, are high and getting higher. But traditional cost studies don't account for them, and what information is available may undervalue the costs. In 2016, hospitals suffered 450 data breaches; one report suggests that 26.8% of these were the result of ransomware, hacking, or malware.²¹ Yet only 9 ransomware incidents were reported to the government.²² This may well be because existing law doesn't mandate disclosure, particularly if...