OCR and FTC Issue Seven-Figure Fines for Cyber Law Faux Pas
The Department of Health and Hospitals Office of Civil Rights (“OCR”) and the Federal Trade Commission issued fresh sets of fines for poor cybersecurity and violations of the Children’s Online Privacy Protection Act (“COPPA”), respectively. Included within the resolution agreements reached between the federal agencies and the offending entities are not just the fines, but also those acts and omissions that triggered the penalties. CISOs and their attorneys must review these resolution agreements to issue spot for their employers and clients.
1. Premera Blue Cross - $6.85 Million: Following a 2015 breach investigation, OCR settled with Premera Blue Cross for $6.85 million last month and issued a corrective action plan. OCR conducted an audit of Premera’s cybersecurity protocols and found multiple HIPAA violations, likely serving as the catalyst for what is currently the second largest fine ever issued by OCR (Anthem currently holds the title for the largest OCR fine at $16 million from 2015). More than 10 million patients were affected by the breach over a 1-year period from March 2014 to January 2015. In 2019, Premera paid $10 million to its data breach victims in a 30-state class action lawsuit.
In an all-to-familiar story, cyber criminals used phishing emails to install malware in Premera’s network and stole patient social security numbers, bank account numbers, and other pedigree identifiers. The corrective plan, found here, lists the following required “Corrective Actions” for Premera that DHHS will monitor for the next two years: risk analyses, risk management plans, and Privacy and Security Policies and Procedures. Of note was Premera’s failure to implement HIPAA-required hardware, software, or procedural mechanisms to record and assess information system activity.
2. Athens Orthopedic Clinic - $1.5 Million: After a 2016 data breach involving 208,000 patients, OCR investigated the Athens Orthopedic Clinic (“AOC”) after “thedarkoverlord” cybercrime group encrypted AOC’s network with ransomware. AOC refused to pay the ransom and the attackers posted patient information on the dark web. While AOC faces patient lawsuits for alleged cyber negligence and the hefty OCR fine, it is also now working on its OCR corrective action plan to remediate the HIPAA violations that OCR uncovered during its investigation.
The corrective action plan, found here, highlights AOC’s failures to conduct “a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.” The plan requires AOC to conduct an enterprise-wide security risk analysis of system vulnerabilities of all electronic equipment, data systems, programs, and applications controlled, administered, owned, or shared by Athens Orthopedic and its affiliates (involving more than 10 locations and 22 physicians).
3. HyperBeard, Inc. - $4 Million: Mobile application HyperBeard came under FTC scrutiny for COPPA violations after allowing third party ad networks to collect personal information of the application's users without parental consent. COPPA mandates that for any website operator gathering information on children aged 13 and younger must provide notice of its privacy policies to parents and obtain verifiable parental consent to the same. The FTC’s original $4 million fine is currently suspended for financial hardship after the company paid a mere $150,000.00.
COPPA carries a maximum civil penalty of $41,484 per violation – with each child susceptible to more than one violation for the illegal use, collection, or dissemination of his/her personal information. In addition to the fine, HyperBeard (if it survives) must report on its COPPA compliance efforts to the FTC for the next 10 years, essentially making the company unsellable from a commercial perspective.
In response to criticism that the fines against HyperBeard were too severe, FTC Chairman Joseph Simmons released a June 4, 2020 statement explaining the FTC’s arrival at the $4 million penalty:
“In HyperBeard, as in YouTube, we attempted to account for this by estimating the revenue from behavioral advertising that was illegal under COPPA, as compared to the revenue that would have been earned from contextual advertising, which is otherwise legal. In my opinion, an appropriate starting point for the civil penalty was HyperBeard’s gain from behavioral advertising over the relevant time period adjusted upwards by a factor to account for the likelihood of detection.”
Learn from the mistakes of others. Consult an attorney to look over your business’s cybersecurity plan and practices, comparing them to legal and industry standards. The cost of such legal work is certainly under seven-figures.