On May 23, 2016, the Federal Trade Commission (FTC) announced that it approved a final order with Henry Schein Practice Solutions, Inc. (HS) to resolve allegations that HS falsely advertised the level of encryption it provided to protect patient data. The consent order requires HS to pay $250,000 and prohibits it from "misleading customers about the extent to which its products use industry-standard encryption or the extent to which its products help ensure regulatory compliance or protect consumers' personal information."
Fast forward to 2022. On March 8, 2022, the U.S. Department of Justice (DOJ) announced its first settlement under its Civil Cyber-Fraud Initiative. In the interest of full disclosure, I represented the only whistleblower who raised allegations about Comprehensive Health Services LLC (CHS), which did "fail to disclose to the State Department that it had not consistently stored patients' medical records on a secure EMR system. When CHS staff scanned medical records for the EMR system, CHS staff saved and left scanned copies of some records on an internal network drive, which was accessible to non-clinical staff."
In October 2022, a major health system, Aurora Health, gave patients, the media, and the United States Department of Health and Human Services (HHS) notice that protected health information (PHI), including sensitive personally identifiable information, may have been exposed to Google, Meta, and other third parties without their knowledge or consent. The Health Insurance Portability Act of 1996 (HIPAA) has long had provisions related to prohibited marketing and selling of PHI.
Now, in 2023, the FTC announced two consent orders related to the prohibited poaching and use of PHI by known third parties and the DOJ announced another settlement under its Civil Cyber-Fraud Initiative.
The take-away is fundamental. The illicit taking and utilization of patient/consumer data without knowledge or consent can result in government action.
Analysis
The FTC's enforcement authority is derived from Section 5 - The Federal Trade Commission Act of 1914 as amended.
Two recent enforcement action settlements, which occurred between February and early-March 2023, underscore its authority and both are notable for distinct reasons:
- GoodRx (February 1, 2023) – This was the first case where an enforcement action was taken under the FTC's Health Breach Notification Rule. Here, GoodRx, a telehealth and prescription drug discount provider did "fail to notify consumers and others of its unauthorized disclosures of consumers' personal health information to Facebook, Google, and other companies." Moreover, "In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect." GoodRx paid the government $7.8 million to settle the allegations.
- BetterHelp, Inc. (Mar. 2, 2023) – In another first-of-its-kind case, the FTC provided remuneration to customers who were harmed by "online counseling service BetterHelp revealed consumers' sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private."
The DOJ and whistleblowers utilize the False Claims Act. As the March 14, 2023 DOJ press release illustrates, concerning Jelly Bean Communications Design and its Manager (collectively "JellyBean"), cybersecurity failures and not having the requisite technical, administrative, and physical safeguards are two areas that may form the basis of a False Claims Act cause of action. As a disclaimer, the False Claims Act is a very complex and intricate area of law.
Some key take-aways from the JellyBean settlement include the following:
- From January 1, 2014 through December 14, 2020 – a period of over six years – JellyBean failed to provide secure hosting of protected health information (PHI) despite its representations in its agreements and invoices, and put patients, specifically children, and their PHI at risk.
- JellyBean created, hosted, and maintained a federally funded Florida children's health insurance website and failed to secure personal information. Over 500,000 applications were hacked and the settlement amount to resolve the allegations amounted to $293,771.
- "The agreement required that JellyBean provide a fully functional hosting environment that complied with the protections for personal information imposed by the Health Insurance Portability and Accountability Act of 1996" (DOJ Press Release).
- The government alleged that numerous outdated and vulnerable software applications were being utilized and fundamental patches were not being done.
Conclusion
Compliance officers and counsel alike should learn from these recent actions. One fundamental step that should be included as part of any HIPAA Risk Analysis is the evaluation of the ingress and egress of patient/consumer data, whether or not patient consent is required in order for the information to be taken and utilized, and whether the third-party has the appropriate safeguards in place. Cultivating a culture of compliance that is genuine and can pass legal muster is something that should also be considered. Cybersecurity risk management is not going away and it would behoove everyone to re-evaluate their risk tolerance.
Rachel V. Rose, JD, MBA, is an Attorney at Law, in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer's Top 25. She can be reached at rvrose@rvrose.com. www.rvrose.com
