Investigation Underway After Sharp Grossmont Hospital Shared Private Patient Videos With Third Party

By on May 27, 2016

On May 12, 2016, Sharp HealthCare issued a statement regarding its inadvertent dissemination of videos depicting fourteen female patients undergoing obstetric surgeries. Sharp provided the videos to a local attorney defending a physician who is accused of stealing sedative medication from Sharp Grossmont Hospital in San Diego, California.

The privacy breach may constitute a violation of California’s Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA), both of which prohibit the disclosure or use of medical information without patient authorization. The hospital argues that a clause in its Admission Agreement authorized the surveillance:

You consent to all hospital services rendered under the general and special instructions of your physician(s), and to the taking of photographs and videos of you for medical treatment, scientific, education, quality improvement, safety, identification or research purposes, at the discretion of the hospital and your caregivers and as permitted by law.

However, the patients are sure to assert that even if the surveillance was authorized, the provision cannot reasonably be interpreted as authorization for disclosing the so-called surveillance to a third party.

Sharp has notified the California Department of Public Health and the Department of Health and Human Services Office for Civil Rights, who will investigate the breach. If the California Department of Public Health determines that the breach constituted a violation of CMIA, the hospital could be fined up to $250,000. (Civ. Code, § 53.36.)  HIPAA imposes similar – but more costly – fines for violations.

We will continue to monitor this story as it develops.

Filed under California’s Confidentiality of Medical Information Act, Health Insurance Portability and Accountability Act

Addressing the Wendy’s Data Breach Proves Difficult Due to Size of Breach and Company’s Structure

By on May 26, 2016

As discussed earlier, Wendy’s announced that it was investigating a possible breach of its point of sale systems (“POS”), after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. An earlier Wendy’s press release stated “[b]ased on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

It has been reported by Security expert Brian Krebs that “some breached Wendy’s locations were ‘still leaking’ customer card data at the end of March 2016 and into early April.” A statement by Wendy’s spokesman Bob Bertini said, in response to questions about the duration of the breach at some stores, “[a]s you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”

It has been opined that the extent and duration of the breach was a result of its size. Specifically, Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, stated that the “fact that the breach affected only 5 percent of Wendy’s locations was likely a contributing factor to its success. A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize.” Unfortunately, the detection time allows the individuals involved to go on spending sprees comprised of unauthorized purchases well after the breach took place.

At this time it seems investigators are still trying to wrap their arms around the problem so we may not know the extent and duration of this breach for some time.

Filed under Cyber Security, Data Breach, Data Breach Investigations

Privacy Law and Social Media: Why Employers Should Create and Update Social Media Policies

By on May 12, 2016

When can an employer discipline an employee who uses social media to distribute content online that could be detrimental to the employer’s business interests? The answer, of course, is “it depends.”

The law struggles to keep pace with technology. Cyberspace has expanded the “workplace” beyond the physical confines of an office building and the traditional eight-hour workday (overtime concerns are the subject for a future blog post). At minimum, employers should create, update and distribute to employees its privacy rules and policies – typically in an employee handbook with a signed acknowledgment of receipt – that reduce the expectation of privacy in the workplace. Employees should be informed through company policies that  desks, files, vehicles and even lockers provided by the employer may be subject to search. The privacy rules and policies should also extend to digital property (data) contained in and transmitted through equipment and devices the employer provides that can be used both onsite and offsite such as laptops, smart phones, email accounts.

However, employers in California and other states also must balance the risk of disciplining employees for off-duty conduct online that may be detrimental to the employer’s interests with laws that prohibit employers from retaliating against employees who engage in legal off-duty conduct.  For example, under California Labor Code Section 96(k), commonly known as “the moonlighting law,” the Labor Commissioner may pursue claims against an employer “for loss of wages as the result of a demotion, suspension, or discharge from employment for lawful conduct occurring during nonworking hours away from the employer’s premises.”

So, how does an employer minimize the risks associated with addressing an employee’s off-duty and online conduct that may be undesirable or detrimental, but not illegal? The following steps may reduce the risks:

  • Create an employee handbook that specifically states the company’s privacy and social media polices.
  • Reference and incorporate general policies and guidelines for employee communications transmitted by email, text or voice through internet or social media.
  • Prohibit employees from creating conflicts of interest, revealing trade secrets and other specified conduct that is detrimental to the company’s legitimate business interests.
  • Inform employees they will be held to the same standards and code of conduct whether they are off-duty or on-duty.

Filed under Privacy Policies, Social Media

Insurance Carrier Must Defend Its Insured Who Inadvertently Published Private Medical Records on the Internet

By on May 6, 2016

The Fourth Circuit Court of Appeals affirmed a Virginia Federal District court’s decision that examined the language of a commercial general liability (CGL) policy and held that an insurance carrier was required to defend its insured medical records company in a class-action lawsuit when its insured inadvertently published private patient medical records on the Internet. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016).

Both the Virginia District Court and the Fourth Circuit rejected the insurance company’s argument that there cannot be a “publication” unless its insured intended to communicate information to others. In so doing, the courts reasoned that the insurance carrier had a duty to defend because its CGL policy did not provide clear enough language as to what conduct constituted a “publication.”

This decision shows that there may be coverage for data breaches outside of the policies written specifically for data breach scenarios, i.e., cyber liability insurance policies. To this extent, the Travelers opinion should be limited to inadvertent publications by an insured, rather than a hacker breaking into a network and then publishing information on the Internet.

Filed under Data Breach, Medical Records