March Madness! Protected health information cybersecurity frenzy

In 2016, I was fortunate to attend the final game of the NCAA Tournament – the “buzzer beater” between Villanova and UNC. The energy was frenetic – regardless of where one’s loyalties lay. Not having ties to either school, my friend and I were still captured by the energy that pulsed through the arena.

As we are in the midst of March Madness 2023, a similar state of wild behavior is pulsing through the cybersecurity landscape. On March 3, 2023, the Federal Trade Commission (FTC) announced its settlement agreement with BetterHelp, which was the subject of my previous Physicians Practice article. This was an unexpected settlement because for the first time, the FTC required remuneration to customers who were harmed.

On March 14, the United States Department of Justice (DOJ) announced another settlement under its Cybersecurity Fraud Initiative against Jelly Bean Communications Design and its Manager (collectively “JellyBean”) for cybersecurity failures. It was almost a year ago, on March 8, 2022, that the DOJ announced its first settlement under its Cybersecurity Fraud Initiative – one in which my co-counsel and I were fortunate to represent the whistleblower. Some key take-aways from the JellyBean settlement include the following:

• JellyBean created, hosted, and maintained a federally funded Florida children’s health insurance website and failed to secure personal information. Over 500,000 applications were hacked and the settlement amount to resolve the allegations amounted to $293,771.
• From January 1, 2014 through December 14, 2020 – a period of over six (6) years) – JellyBean failed to provide secure hosting of protected health information (PHI) despite its representations in its agreements and invoices and put patients, specifically children, and their PHI at risk.
• “The agreement required that Jelly Bean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996.” (DOJ Press Release).
• The government alleged that numerous outdated and vulnerable software applications were being utilized and fundamental patches were not being done.

Turning to another “bracket”, on March 15, 2023, the Senate Veterans’ Affairs Committee held a hearing, Examining the Future Path of VA’s Electronic Health Record Modernization Program, after the deaths of Veteran patients at VA facilities were linked to failures with the Oracle-Cerner Electronic Health Record System. Committee Chairman stated that a new contract should be negotiated “following the revelation that the EHR system has resulted in the deaths of four veterans.” Hence underscoring the notion that “cybersecurity is patient safety.”

Whether it’s a jump-shot, lay-up or alley-oop, the best position for covered entities and business associates alike to find themselves in is to play offensive by implementing a culture that strives to meet the requisite technical, administrative, and physical safeguards required by HIPAA, the HITECH Act, and other laws in relation to PHI and sensitive personally identifiable information.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.