Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Breaches in Employee Benefits

Published byDustin Bradley Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Breaches in Employee Benefits"— Presentation transcript:

1 Data Breaches in Employee Benefits
Cynthia Boyle Lande BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone: Facsimile:

2 Common Problems Lost or stolen laptops or flash drives
Lost or stolen cell phones with work Hacker Disgruntled employee Mistyped fax number or autocorrect Spreadsheets with hidden columns containing personal information Documents left in copier Records discarded without shredding

3 Types of Confidential Information Commonly Affected
Social security number State ID/drivers license number Health insurance and claims information Medical records Financial information

4 Legal Regulation State Security Breach Laws HIPAA Common Law

5 State Security Breach Laws
Currently found in most states, but no comprehensive federal law Require businesses to inform individuals of security breaches involving personal data

6 Iowa Security Breach Law
Iowa Code Chapter 715C “Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business and that was subject to a breach of security shall give notice of the breach of security following discovery.”

7 Iowa Security Breach Law (Continued)
Consumer: Any person who resides in the state of Iowa Breach of security: unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information

8 Iowa Security Breach Law (Continued)
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not altered in such a manner that they are unreadable:

9 Iowa Security Breach Laws (Continued)
Social security number. Driver's license number or other unique identification number created or collected by a government body. Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

10 Iowa Security Breach Law (Continued)
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

11 Iowa Security Breach Laws (Continued)
Penalties: Calculated based on harm to consumer(s) and benefit to violators

12 HIPAA General duty to protect the privacy of individual health information

13 Who is subject to HIPAA? Covered Entity Business Associate
Health Plans Health Care Clearinghouses Health Care Providers Business Associate

14 Protected Health Information
Individually identifiable health information that is one of the following: Transmitted by electronic media; Maintained in electronic media; or Transmitted or maintained in any other form or medium.

15 HIPAA Data Breach The acquisition, access, use, or disclosure of protected health information in a non-permitted manner which compromises the security or privacy of the protected health information.

16 Exceptions Unintentional, good-faith acquisition, access, or use by a workforce member or authorized person. Inadvertent disclosure by authorized person to another authorized person. Disclosure to unauthorized person where it is reasonable to believe the PHI cannot be retained.

17 HIPAA Data Breaches Any non-permitted use or disclosure of PHI presumed to be a “breach” unless the Covered Entity or Business Associate demonstrates “a low probability that the protected health information has been compromised” based on 4 factors.

18 HIPAA Data Breaches (Continued)
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the disclosure was made.

19 HIPAA Data Breaches (Continued)
Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated.

20 Responding to a HIPAA Breach
Fewer than 500 individuals affected by breach of “unsecured” PHI: Notify Individuals in writing without unreasonable delay and no later than 60 days after discovery Maintain log of breaches Notify Secretary of HHS within 60 days of end of calendar year

21 Responding to a HIPAA Breach (Continued)
More than 500 individuals affected by breach of “unsecured” PHI: Notify Secretary of HHS within 60 days from discovery of breach Notify prominent local media outlets within 60 days from discovery of breach

22 HIPAA Civil Penalties Covered entity or business associate did not know and by exercising reasonable diligence would not have known of the violation: $100 to $50,000 per violation Not to exceed $1,500,000 for identical violations during a year Violation due to reasonable cause and not willful neglect $1,000 to $50,000 per violation Not to exceed $1,5000,000 for identical violations during a year

23 HIPAA Civil Penalties (Continued)
Violation due to willful neglect but corrected within required time period: $10,000 to $50,000 per violation Not to exceed $1,500,000 for identical violations during a year Violation due to willful neglect and not corrected: $50,000 per violation

24 HIPAA Criminal Penalties
Knowingly obtain or disclose PHI Up to 1 year in prison Offenses committed under false pretenses Up to 5 years in prison Offenses committed for personal gain or malicious harm Up to 10 years in prison

25 Common Law Causes of Action
Negligence Duty of Care Breach of Duty Causation Damages Contract

26 Target Example Facts: In November of 2013, hackers installed malware on Target’s system. The objective was to obtain credit card and personal information of Target customers as they shopped for the holiday season. Target stored this information on its system after purchasers completed purchases. Target had malware detection and other data security measures in place, but they did not trigger steps to stop the malware from collecting customer data until approximately the middle of December. The Target data breach was made publicly known by the news media, rather than Target.

27 Blue Cross and Blue Shield of Tennessee Example
Facts: In March of 2012, 57 computer hard drives containing PHI of over 1 million individuals were stolen from a BCBST facility. The information on the hard drives included names, social security numbers, diagnosis codes, dates of birth, and health plan ID numbers. BCBST self-reported this breach to HHS.

28 Affinity Health Plan Example
Facts: Affinity returned a leased copy machine before deleting PHI affecting 344,579 individuals from the hard drive. CBS Evening News subsequently purchased the photocopier and discovered the breach. After discovering the breach, Affinity filed a breach report with OCR.

29 Kaiser Foundation Health Plan Example
Facts: In 2011, an external hard drive from the Kaiser Foundation Health Plan was sold to a member of the public at a thrift store. The hard drive contained addresses, dates of birth, and social security numbers for over 20,000 employees. The Kaiser Foundation Health Plan obtained the hard drive in December of 2011, completed an investigation, and notified affected individuals in March of 2012.

30 Best Practices Develop, implement, and regularly update data protection policies and procedures Obtain and store limited amounts of information Segregate the most highly confidential information and limit the number of users who have access

31 Best Practices (Continued)
Provide appropriate training to employees who will have access to confidential information Police implementation of these policies and procedures

32 Responding to Data Breaches
Identify breadth and cause of data breach Promptly provide notices as required by law Assist affected individuals in remedying breach to extent possible Review processes and procedures that allowed breach to occur, and determine whether it is practicable to improve those processes and procedures going forward

33 Questions? ?

34 Website: www.brownwinick.com Toll Free Phone Number: 1-888-282-3515
OFFICE LOCATIONS: 666 Grand Avenue, Suite 2000 Des Moines, Iowa Telephone: (515) Facsimile: (515) 616 Franklin Place Pella, Iowa 50219 Telephone: (641) Facsimile: (641) DISCLAIMER: No oral or written statement made by BrownWinick attorneys should be interpreted by the recipient as suggesting a need to obtain legal counsel from BrownWinick or any other firm, nor as suggesting a need to take legal action. Do not attempt to solve individual problems upon the basis of general information provided by any BrownWinick attorney, as slight changes in fact situations may cause a material change in legal result.

Download ppt "Data Breaches in Employee Benefits"

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.

Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.
Implementing and Enforcing the HIPAA Privacy Rule.

Implementing and Enforcing the HIPAA Privacy Rule.
E-Verify and Immigration-Related Employment Discrimination Beth Coonan BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA 50309-2510 Telephone: 515-242-2408.

E-Verify and Immigration-Related Employment Discrimination Beth Coonan BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:

Similar presentations

Ads by Google