Protecting Employees' Private Health Information from a Cyberattack in the Age of COVID-19
With COVID-19, employers are receiving and processing an ever-increasing amount of their employees' confidential health information. From COVID-19 test results to vaccination status, many employers are routinely collecting medical information on their employees for compliance with internal or external rules and regulations. Furthermore, with OSHA and other federal regulators currently working on regulations to impose vaccine mandates or mandatory testing of non-vaccinated workers, many businesses soon will be required to receive and maintain even more of their employees’ confidential health information. This increase in collecting and storing employee health information occurs precisely as we are seeing a similar increase in the risk of a cyberattack and the inadvertent disclosure of employees' confidential health information.
Presumably, most employers are storing (and transmitting) employee health information via electronic systems (i.e., computer networks), which implicates the security of that information.Unfortunately, 2021 has been a record year for cybersecurity incidents. The Identity Theft Resource Center found that data breaches were 17 percent higher through September 30, 2021 when compared to all
of 2020, which itself was a record year for breach events. With the risk of cyberattack at an all-time high at the very moment that employers are collecting more employee confidential information than ever, now is the time to ensure that employers have a robust and effective cybersecurity plan in place. Failure to do so can lead to dire consequences for the employer, including regulatory and legal penalties.
Numerous Laws Govern the Confidentiality of Employee Health Information
Most employers are legally required to secure employees' confidential information and to prevent the inadvertent or unauthorized disclosure of their employees' private health information. The Americans with Disabilities Act ("ADA"), the Genetic Information Nondiscrimination Act ("GINA"), and in certain circumstances, the Health Insurance Portability and Accountability Act ("HIPAA"), all impose legal obligations on employers regarding the protection and safeguarding of employees' confidential health information under certain circumstances. HIPAA already employs mechanisms governing what to do in the event of breach/disclosure of protected information. However, where HIPAA does not govern, a recently enacted federal rule, the Health Breach Notification Rule (16 C.F.R. 318.1-9), fills the gap, providing clear requirements for notifying individuals affected by a breach exposing their confidential health information. In the event of a breach (whether by cybersecurity attack or other inadvertent disclosure), employers will need to comply with the requirements of HIPAA, where applicable, or the newly enacted Health Breach Notification Rule.
Under the Health Breach Notification Rule, a breach occurs if a third party acquires an individual’s personal health records or individually identifiable health information without the authorization of that individual. The rule applies broadly to vendors of personal health records as well as to entities that either access or send information in a personal health record or engage with another entity which itself offers individuals’ personal health records. In the event of a breach, the discovering entity must notify each individual who is a citizen or resident of the Unites States whose unsecured identifiable health information was acquired by an unauthorized person. Notice also must be given to the Federal Trade Commission. The process of identifying the extent of the breach and providing the required notification is costly to employers.
Even in the absence of the ADA, HIPAA, GINA, or the Health Breach Notification Rule, an employer's common law duties to its employees also may impose an obligation to safeguard employee information. In Pennsylvania, an employer was sued in a class action lawsuit stemming from a large-scale data breach that exposed the information of approximately 62,000 current and former employees. In that case, which did not concern health information, the Pennsylvania Supreme Court held that employer had a duty to take reasonable security measures to protect its workers’ data. This ruling implies that employers could be subject to litigation from employees for failing to properly safeguard their employment information, including confidential health information, from improper disclosure.
A Breach can Occur in Numerous Ways
Cyber threats can come from anywhere. That was the case with SalusCare, a large mental health services provider based in Florida. SalusCare's database was accessed through a phishing scam causing malware to infected the entire system. This malware exposed 85,688 patient and employee records containing information on patients’ psychiatric and addiction counseling and treatment along with other confidential information, including patient and employees' Social Security and credit card numbers. To comply with the ADA and HIPAA, SalusCare had to provide notification of the breach to all
85,000+ patients and employees. To conduct any investigation and breach notification can cost an employer tens to hundreds of thousands of dollars. A breach of this size could bankrupt a company if it lacked sufficient cyber security insurance.
Employers also need to be aware that they can be subject to disclosure obligations for breaches of its vendors' databases. When a Virginia-based occupational health care provider's records were hacked via a ransomware attack, the hackers posted the medical records of UPS and Norfolk Southern employees maintained by the health care provider. Therefore, in addition to the vendor's HIPAA notification requirements, because these records included DOT-mandated medical exams, which are required for DOT compliance and are therefore job-related, the new Health Breach Notification Rule would require UPS and Norfolk Southern to provide notice of the breach to impacted employees. Thus, employers must be aware that their cybersecurity obligations extend beyond their own systems and to the systems of third parties with whom they contract.
As many employers know, confidential medical information must be segregated from other employee information in personnel files. Failure to keep such records separate can constitute a violation of the ADA or, in the case of genetic information, GINA. While this is easily done in the context of hard-copy personnel files, additional steps are needed for electronic records, not only to safeguard internal access to such records, but also to protect against cybersecurity attacks. From an electronic database standpoint, employee private health information needs to have its own separate, password protected electronic database. Employers also should be aware that breaches of employee private health information, whether by unauthorized employees or via cyberattack, will implicate the data breach notification rules of the Health Breach Notification Rule.
Steps to Prevent a Breach
There are clear, and sometimes simple, steps that employers can take to better safeguard their employees' confidential health information, including:
- Identifying and addressing third party vendors' vulnerabilities that enhance risk, especially as to the electronic transfer of employee health information or other sensitive data.
- Increasing investment in security software systems and ensuring that all employees are adequately trained in these systems' importance and use.
- Training employees to spot potential cybersecurity risks and the steps to take in response.
- Developing policies and procedures for employee access to the company's electronic systems.
- Requiring VPN or other secure connection, such as multifactor authentication, when accessing data systems remotely.
- Backing-up employees' private health information or other sensitive data and storing it off-network to minimize points of access.
- Increasing the involvement of corporate officers and boards of directors in security matters to ensure leadership is appropriately aware of the risks of data breaches and the potential impact these breaches can and will have.
- Establishing a security incident response team familiar with and trained to comply with applicable rules and laws regarding confidentiality of employee medical and health information.
- Conducting periodic data breach drills to test the effectiveness of your security incident response plans.
- Reviewing, and enhancing when necessary, all safeguards in place with respect to employees' confidential health information in order to reduce the risk of breaches and maintain compliance with applicable rules and laws.
- Developing and keeping up-to-date templates for notice of breach letters.
- Purchasing effective cyber liability insurance that provides sufficient coverage for company-specific needs and breach-exposure risk.
Spilman is here to assist you in assessing your cybersecurity issues, or to assist you in the event of a breach. Please contact a member of the Technology Law
practice group with any questions.