Data breach compliance after Uber: Avoiding scandal

Bethany A. Corbin (bcorbin@wileyrein.com) is an attorney at Wiley Rein, LLP in Washington, DC and focuses her practice on healthcare, privacy, and cybersecurity.

Like the latest installment of the Star Wars saga, data breaches are highly anticipated, command strong media attention, and can impact the lives of millions of consumers. From Anthem Blue Cross to Banner Health to Equifax, security-related incidents have dominated headlines and remain a top concern for businesses in 2018. In a survey of more than 15,000 chief information security officers (CISOs), the Ponemon Institute found that 67% of CISOs believed their companies would likely experience a cyberattack or data breach this year, with 60% noting that their concern has increased since 2017.[1] ,[2]

Healthcare entities in particular are prime targets for data breaches, given the sensitive information contained in medical records. From January to June 2017, hackers accessed almost 1.6 million patient records, and insider wrongdoing further exposed another 1.17 million patient records.[3] Failure to appropriately secure data and implement timely responses and notification measures for breaches can expose healthcare organizations to reputational damage, investigative inquiries, and civil liability. Given the organizational risks associated with data breaches, it is unsurprising that the term conjures images of fear for both companies and consumers, much like the Star Wars Death Star inspired dread throughout space civilizations.

The inevitability of data breaches has forced companies to question their prevention and response strategies — particularly in light of Uber’s recent data breach scandal. Although the popular press has taken issue with Uber’s failure to follow data breach notification laws, adherence to such laws alone will not ensure a culture of compliance — especially in the healthcare industry. Rather, an effective compliance response to healthcare data breaches must begin before a breach occurs and continue after the breach is contained. Breach notification is an important aspect of compliance, but contrary to widely held belief, it should not dominate the compliance and investigative process. Instead, organizations must focus on identifying, containing, and remedying the breach as top priorities. This article proposes three compliance strategies for healthcare entities to employ before, during, and after a data breach to help avoid becoming the next Uber.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field