Latest HIPAA News

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

Posted by HIPAA Journal

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers.

CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR).

The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold.

The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law which they consider unworkable and several technical issues that are likely to have negative and unintended consequences.

The CCPA is not due to take effect until January 1, 2020, which gives Californian lawmakers plenty of time to make amendments. There are likely to be several amendments made before the law comes into effect, the first of which have just been passed.

On August 31, 2018, the legislature passed SB 1121 which includes several technical edits to the CCPA and a notable change to the implementation of the CCPA. The compliance date has remained the same, although SB 1121 clarifies that the CCPA will go into effect as soon as it is signed into law. This is seen as an effort to ensure that California localities will not be able to pass conflicting laws before January 1, 2020.

Entities covered by the CCPA will be given additional time to ensure compliance, as SB 1121 changed the date by which the California Attorney General must publish its implementation regulations. The final date for publication of the implementation regulations is now July 1, 2020. Further, the Attorney General will not be permitted to bring CCPA enforcement actions against any company found not to be in compliance with CCPA until six months after the publication of the implementation guidelines.

In contrast to HIPAA, the CCPA includes a private right of action which allows California residents to take legal action against companies that have experienced data breaches as a result of a failure to implement appropriate security measures. In its previous form, any consumer that chose to take legal action for the exposure of their personal data was required to notify the attorney general within 30 days of filing a legal action. That notification requirement has now been dropped.

SB 1121 has also clarified exemptions for data already covered by other legislative acts, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), and the Driver’s Privacy Protection Act (DPPA).

All data handled pursuant to HIPAA, GBLA and the DPPA are exempt from the CCPA. Further, SB 1121 has confirmed that the CCPA will not apply to HIPAA-covered entities and neither to information collected by a HIPAA-covered entity or business associate that is part of a clinical trial.

SB 1121 has been passed, although the state governor has until September 30, 2018 to sign the amendment.

The post California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt appeared first on HIPAA Journal.

Texas Nurse Fired for Social Media HIPAA Violation

Posted by HIPAA Journal

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website.

The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination.

Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease.

She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear.”

Due to a high rate of vaccination (94.5%) in Houston, a measles case is very rare. Over the past ten years there have fewer than 10 confirmed cases in the city. While the nurse did not post the child’s name on Facebook, her job was listed on her profile, along with the hospital where she worked, and information about the boy and his condition. Due to the information contained in the posts and the rarity of the disease, it is possible that the child could have been identified.

Texas Children’s Hospital suspended the nurse when officials found out about her social media posts and an investigation was launched. After receiving the suspension, the nurse appeared to realize that she had shared too much information and deleted several of her posts. Four days after the nurse was suspended the decision was taken to fire her for the HIPAA violation. An official from Texas Children’s Hospital confirmed the nurse lost her job as a result of violating hospital policies and federal laws by posting protected health information on a social media website, and not for her anti-vaxxing views.

The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of protected health information. Most healthcare professionals will be well aware that the posting of any protected health information on a social media website constitutes a HIPAA violation.

However, as this incident shows, the patient does not need to be mentioned by name in order for them to potentially be identified. If any personally identifiable protected health information is posted on social media without consent first being obtained from the patient, it constitutes a violation of the HIPAA Privacy Rule.

A good rule of thumb is to keep work and private lives separate, and never to post any information about patients on a social media platform, even if you do not think that a patient could be identified from the post.

At HIMSS 2017, the former deputy director of health information privacy at the HHS’ Office for Civil Rights (OCR) explained that OCR plans to issue guidance on HIPAA and social media and what is and is not acceptable.

The post Texas Nurse Fired for Social Media HIPAA Violation appeared first on HIPAA Journal.

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

Posted by HIPAA Journal

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state.

The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina.

The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs.

During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule.

In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act.

During the period of the Public Health Emergency, sanctions and penalties against healthcare providers are waived for the following provisions of the HIPAA Privacy Rule.

  • 45 CFR 164.510(b) – The requirement to obtain authorization from a patient to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – The requirement to honor requests to opt out of the facility directory
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications

Sanctions and penalties for healthcare organizations have not been waived for all other requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

The waiver only exists in the areas covered by the public health emergency declaration for the period identified in the declaration, and only when hospitals have initiated their disaster protocol. The waiver only lasts for 72 hours following the declaration of the emergency.

When the Presidential or Secretarial declaration terminates, the waiver no longer applies, even to those patients still in the care of a hospital and even if the 72-hour time period has not elapsed.

The HHS’ Office for Civil Rights has responded to the declaration by issuing guidance on appropriate sharing of health information in emergency situations, confirming how the HIPAA Privacy Rule applies to healthcare providers in the disaster emergency zone.

OCR has also made a HIPAA Emergency Preparedness Decision Tool available to help healthcare providers determine how the HIPAA Privacy Rule applies.

The post Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information appeared first on HIPAA Journal.

NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees

Posted by HIPAA Journal

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework – A framework of computer security guidance to help private sector companies assess their security policies and improve their ability to prevent, detect, and respond to cyberattacks.

The Framework has been a huge success. Figures from Gartner suggest it has already been adopted by 30% of companies, and adoption of the Framework is mandatory for all federal agencies.

Now NIST plans to start working on a new Framework to help companies protect the privacy of employees and customers in what has become an increasingly connected and complex environment.

The NIST Privacy Framework will be a voluntary enterprise-level tool that will detail privacy outcomes and approaches to help organizations develop strategies for implementing flexible privacy protection solutions. The aim is to ensure that individuals can benefit from the use of innovative technologies such as IoT an AI, with the confidence that their privacy will be protected. Adopting the Privacy Framework will help organizations manage privacy risks more effectively.

“We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter Copan.

Adopting the Cybersecurity Framework and ensuring good cybersecurity practices are followed helps companies reduce the risk of privacy breaches, but as NIST explained, “Privacy risks also can arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services.”

NIST will take a collaborative approach when developing the new Framework as it did when it developed its Cybersecurity Framework. NIST plans to work with industry, academic institutions, civil society groups, standard-setting organizations, federal agencies, state, local, territorial, tribal, and foreign governments, and private companies through workshops and requests for public comment.

“We want to gather the best ideas from many stakeholders so that the privacy framework tool we develop is useful and effective for a wide range of organizations,” said NIST Senior Privacy Policy Advisor, Naomi Lefkovitz, who will lead the new project.

NIST plans to start gathering feedback on the new Framework at a public workshop being held in Austin, TX on October 16, in conjunction with the annual meeting of the International Association of Privacy Professionals.

Another Department of Commerce agency, the National Telecommunications and Information Administration (NTIA), is also working on a new privacy initiative. NTIA is currently developing a domestic legal and policy approach for consumer privacy in coordination with the International Trade Administration.

The post NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees appeared first on HIPAA Journal.

Final Participation Request: Emergency Preparedness Survey

Posted by HIPAA Journal

Do you want to help determine the state of emergency preparedness in healthcare?

Over 100 HIPAA Journal readers have already participated in this survey and this is the last chance to contribute by completing this short anonymous survey on emergency preparedness and security communications trends.

This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next.

After you complete the survey, you will have the chance to enter into a raffle for a $150 gift card from the survey sponsor (RaveMobileSafety).

If you provide your email address, you’ll receive the published (anonymous) results before they are released.

HIPAA Journal will eventually publish the results.

Note: HIPAA Journal is not conducting this survey and HIPAA Journal does not receive any payment for promoting this survey.  If your organization is running a survey that is interesting to healthcare professionals, you can contact us with the details.

The post Final Participation Request: Emergency Preparedness Survey appeared first on HIPAA Journal.

Medical Records from New Mexico Hospital Found Scattered in Street

Posted by HIPAA Journal

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility.

The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse.

The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street.

KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public.

The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing information, and Social Security numbers.

The New Mexico Department of Health was notified about the incident and sent a cleanup crew to collect the remaining paperwork on Friday August 31, at least 12 hours after the records had fallen off the truck. It is currently unclear whether all the records have been recovered.

An investigation has been launched to determine why the medical records were not secured in transit and how they were able to fall from the delivery truck. At this stage it is unclear exactly how many patients have had their health information exposed.

When those individuals are identified, the New Mexico Department of Health will send out notification letters in the mail. A report will also be submitted to the Department of Health and Human Services’ Office for Civil Rights and state authorities.

The post Medical Records from New Mexico Hospital Found Scattered in Street appeared first on HIPAA Journal.

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

Posted by HIPAA Journal

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.