In recent months, two more companies in the healthcare industry have been hacked. UCLA Health announced on July 17, 2015 that it was the victim of a “criminal cyber attack” and “as many as 4.5 million individual potentially may have bene involved in the attack.” This comes on the heels of another attack in May 2015 against Medical Informatics Engineering whose subsidiary is NoMoreClipboard, an online medical information sharing service used by patient and physicians alike. Both of these episodes are the latest in attacks against health insurance and healthcare providers including Anthem Blue Cross Blue Shield and Premera Blue Cross Blue Shield. With the uptick in these announcements, data breaches of this scope and type are quickly becoming commonplace.
As has been noted in a variety of venues, currently, there is no comprehensive federal law to deal with data breaches. The federal law that does exist is centered on privacy issues for specific industries, e.g., Health Information Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach Bliley Act (GLB) for financial information. While most states and the District of Columbia have some legislation and/or regulation that addresses data breaches, each law is state specific and, in many cases, inconsistent from state to state.
Congress is now considering H.R. 1770, the Data Breach Notification Act of 2015, in an effort to address the patchwork nature of the current statutory regime. This bill, if passed, would pre-empt state laws on information security and data breach notification. Not surprisingly, this bill appears to enjoy a large measure of bipartisan support. However, a couple of sticking points have halted the forward progression of the law, at least for now.
The major sticking point is that one of the bill’s co-sponsors, Peter Welch, has asked that the bill also include medical records. As currently drafted, the bill is limited to the theft of financial data that could be used to access bank accounts. No other data, including medical records, is protected. In addition, several industry groups oppose the measure (at least in its current form) including the Financial Services Roundtable and a group representing convenience stores. That said, Congressional staff is optimistic that these issues can be worked out.
Other Cyber Legislation Currently Before Congress
In addition to the data breach legislation discussed above, Congress is also considering other legislation:
- In response to the data breach at the Office of Personnel Management (OPM), members of the House and Senate have introduced measures, 1746 and H.R. 3029, both entitled Reducing the Effects of the Cyberattack on OPM Victims Emergency Response (RECOVER). These acts would provide lifetime identity protection for those whose information is compromised by the data breach and where in data breach involves not less than $5 million in identity theft coverage.
- The Senate is considering the Cybersecurity Information Sharing Act (CISA). This bill would facilitate better information sharing between the public and private sectors to battle cyber threats. There was a thought that this legislation, which has stalled in Congress for some time over privacy concerns, was approaching a window of opportunity for further consideration given the massive breach at OPM and other major breaches. It is uncertain when this legislation will be considered. Earlier, it was thought that the Senate would not consider it until the fall. However, the Senate leadership recently announced it was possible the bill might be brought to the Senate floor before the August recess.