“It’s A High Risk For Us:” Healthcare Companies Report Cybersecurity As A Top Litigation Concern

A programmer is typing a code on a keyboard to protect a cyber security from hacker attacks and save clients confidential data. Padlock Hologram icons over the typing hands.

Image by 123RF

By Andrea L. D’Ambra and Susana Medeiros at Norton Rose Fulbright US LLP

Advertisement

Cybersecurity and data protection issues remain a top litigation concern for healthcare organizations, according to the recently released 17th Annual Litigation Trends Survey by Norton Rose Fulbright, which surveys hundreds of in-house litigation leaders from global corporations.

Healthcare organizations report that they are a top target for cyber threat actors seeking to exploit companies with large volumes of sensitive personal data.  According to one vice president of risk, “we know as a health care organization that we’re in one of the industries that’s a high target industry for anybody trying to attempt to get patient information.  We view it as a very high-risk exposure.”

The Department of Health and Human Services, which regulates healthcare companies and other healthcare-related entities in the United States, has reported 139 breaches in just the first three months of this year, as compared to 92 breaches reported by this same time in 2021.  This is an almost 50% increase in reported breaches for the same period.  So it is unsurprising that two thirds of healthcare respondents report feeling more exposed to cybersecurity and data protection risks than they did in 2020.  

Because of the nature of the healthcare industry and the volume of personal health information healthcare companies hold on behalf of individuals, these organizations come under more regulatory scrutiny with respect to data protection and security issues.  For instance, under the Health Insurance Portability and Accountability Act (HIPAA), regulated entities are required to report cybersecurity incidents that qualify as a “breach” if they impact more than 500 patients. This includes not only healthcare organizations that are regulated under HIPAA as Covered Entities, but also vendors and third parties that assist such organizations and operate as Business Associates.  Similarly under the HITECH act, these entities are required to implement cybersecurity standards, that are monitored and enforced by HHS, to safeguard protected health information.  

Ensuring third party compliance with HIPAA and HITECH regulatory standards remains a critical part of healthcare compliance program, according to multiple healthcare respondents.  This may include requiring third parties to demonstrate compliance, and hiring third parties to test whether they can break into outside party systems.  Other companies have taken the approach to limit third party access to sensitive information where possible and aim to narrow the list of pre-approved third party vendors to reduce risk exposure.  

As a prominent target for cyber-attacks, it is unsurprising that class actions driven by cybersecurity litigation remain a top concern for healthcare companies as compared to other industries.  According to the deputy general counsel of a healthcare company, “class actions are becoming very popular and common in any type of security breach,” with many actions filed as a kneejerk reaction to a security breach, even where plaintiffs are unable to claim damages resulting from the breach or where data protection laws are unlikely to support a cause of action.  Numerous healthcare respondents cited cybersecurity class actions as one of the biggest concerns on the horizon because they are high-profile, costly, and often difficult to defend.  

Across all industries, the number of respondents who cited class actions as among their most common dispute types has doubled since 2020, with cybersecurity-related class actions trending upwards.  Survey respondents reported that the increased number of cyber-related class actions is in part because plaintiffs’ lawyers in the United States are increasingly tracking data security breaches and the resulting consumer notifications often spawn class action suits for both larger and smaller incidents.  

Healthcare companies report several factors have increased their exposure to cybersecurity disputes.  These factors include the storage of large volumes of sensitive personal information, Covid-19 and its impact on IT security, challenges with vetting third party data security practices, the growing sophistication of cyber-attackers, the increased volume of cyber-attacks against companies based in the United States, and the changing legal/regulatory landscape in the US and worldwide.  

These organizations also report higher levels of financial exposure in the cyber liability space due to what one general counsel described as the “hardened” cyber insurance market, as demonstrated by increased premiums, higher deductibles or rates of insurance retention (which, similar to a deductible, requires the insured to cover the cost of a claim up to a certain limit), limited coverage options, and a more difficult insurance renewal process.  Other healthcare companies report they have also sought increased insurance coverage in the past year to address their increased cyber risks. 

Concerns about reputational damage arising from a cybersecurity incident was another widespread concern expressed by healthcare companies that could impact their professional reputation in the eyes of patients, insureds, regulators, and other third parties.  

Respondents reported that they employed a number of strategies to reduce their cyber risk, including additional investment in IT and information security to better safeguard data, increasing employee awareness of phishing attacks, conducting table top exercises to test the company’s cyber preparedness, and third party due diligence.  According to the head of litigation of a US healthcare company, citing the steps their company is taking to reduce their risk around cybersecurity-related litigation, “obviously, the best way to reduce litigation is to not have [cyber] incidents to begin with.”  All these strategies, however, require significant additional investment both in terms of time and capital expenditures, which are ill-timed in view of the challenges healthcare companies are facing during the COVID pandemic.

Healthcare Business Today is a leading online publication that covers the business of healthcare. Our stories are written from those who are entrenched in this field and helping to shape the future of this industry. Healthcare Business Today offers readers access to fresh developments in health, medicine, science, and technology as well as the latest in patient news, with an emphasis on how these developments affect our lives.