TennCare Vendor Breach: A HIPAA Case Study


Conveniently announced in an end of day (Friday) news dump last week was news of a large data breach that could affect a large number of Tennessee residents. Magellan Health, Inc., the pharmaceutical management vendor used by the state’s Medicaid program, admitted to the possible exposure of data on nearly 44,000 TennCare members. As first reported by the Tennessean, the unauthorized access of a Magellan employee’s email account left sensitive information such as names, social security numbers, member IDs and prescriptions, health plans, and provider names exposed for “43,847 people”. The announcement served as a just another troubling reminder of the insufficient security standards used by those in the healthcare industry, a point further belabored by recent findings from the nonprofit ProPublica which uncovered the availability of more than 5 million patient records floating around the Internet.

The Magellan breach represents an opportunity to examine the legal considerations for healthcare organizations who face the prospect of and actually experience a data breach.  Disclaimer: The details surrounding the breach are sparse. As such, this article should not be construed as any sort of legal determination that the parties in question did, in fact, act insufficiently. 

The Breach + The Contract + The Law

According to a press release by Magellan, the intrusion into the employee’s email account occurred on May 28, 2019, after a successful phishing scam. Magellan discovered the incident many weeks later on July 5. Because the company remained unsure of whether any TennCare data may have been accessed up until September 10, Magellan’s notification to TennCare did not take until the following day (September 11). Fifty-eight days later, Magellan made the breach public. In the release Magellan is quick to point out that a third-party forensic expert retained by the company found no evidence that the hackers “actually accessed, viewed or attempted to use the information in the employee’s email account”.

A search of TennCare’s open database of contracts revealed a 199-page document with Magellan Medicaid Administration, Inc. and provides some insight into the vendor’s data breach responsibilities in accordance with federal healthcare laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In Section E.8.e of the contract, Magellan agrees to report to TennCare’s Privacy Office any use or disclosure of PHI [Protected Health Information] as soon as the company “becom[es] aware” of any issue. A subsequent section of the contract reiterates this with respect to a confirmed or suspected breach:

In a table (Attachment C beginning on Page 64) describing the work expected of Magellan and damages associated with non-performance of the contract, TennCare reserves the right to recoup damages should Magellan fail to protect and secure PHI through “commercially reasonable methodology” like encryption or destruction protocols. The failure to do so allows TennCare to impose on the vendor both damages in the amount of $500 per enrollee AND liability for credit monitoring and/or identity theft costs. Moreover, if TennCare makes the determination that Magellan failed to timely report a breach the company can further assess damages of “$500 per enrollee . . . [but] not to exceed $10,000.”

Per HIPAA’s Breach Notification Rule (45 C.F.R. §§ 164.400 to 164.414), the law requires a covered entity like TennCare and a business associate like Magellan to provide notice following a breach of unsecured PHI to the appropriate parties within a fairly condensed period of time.

Applying the Breach Notification Rule to the present circumstances at hand, HIPAA mandated that Magellan upon discovery of a breach of TennCare’s unsecured health information notify TennCare “without unreasonable delay and . . . no later than 60 days after discovery.” The law defines “discovery of a breach” to mean when the party should have known about the breach through the exercise of reasonable due diligence. From the known timeline, Magellan alerted TennCare 68 days after its discovery of the incident. However, Magellan could and likely would argue that a notification in excess of the sixty-day requirement did not violate the law. Why? Because Magellan reportedly remained unaware that TennCare information was a part of the breach until September and promptly notified TennCare the following day, Magellan could assert that the discovery of the breach and its pertinence to TennCare did not actually take place in July. Instead, the argument would be that the notification clock did not start ticking until Magellan became aware of the possible exposure of TennCare member data in September.

Similarly, the party responsible for the exposure of PHI must also provide notice to affected individuals within sixty days of discovering the breach. Contemporaneous to this notification to those affected is notice to prominent media outlets AND the U.S. Department of Health and Human Services Office of Civil Rights (OCR) if the breach affects more than 500 residents of a particular state or jurisdiction. According to Magellan’s own representations that it first became aware of the possible exposure of TennCare members on September 10, Magellan’s public press release 58 days later just fits inside the sixty-day window. Furthermore, Magellan presumably notified OCR as well within this legal timeframe. As of this writing, Magellan’s breach does not yet show up on OCR’s public breach portal — a page commonly known throughout the information security industry as the “Wall of Shame“.

What’s Next

For an incident like Magellan’s that could purportedly affect a significant number of people, OCR may decide to investigate. OCR investigations are publicly listed on the Wall of Shame, with the most recent one at the publication of this post concerning a breach suffered by Utah Valley Eye Center that was submitted on November 1, 2019. In addition to the possibility that Magellan face a regulatory investigation from OCR, the incident could also prompt a potential investigation from the Tennessee Attorney General. Just last year, the Tennessee AG took part in a multi-state enforcement action against a third-party medical records provider who suffered a breach. Should the Tennessee AG decide the incident is worth looking into, Magellan may well receive an investigative subpoena known as a Civil Investigative Demand (CID). A CID allows regulators to gather more information and assess whether an incident warrants legal action.

The incident could also prompt serious repercussions from TennCare over its relationship with the vendor. Recalling some of the contractual remedies surrounding a failure by Magellan to protect TennCare data, TennCare could theoretically exercise its right to terminate the agreement altogether or try to censure Magellan by way of monetary damages. At the very least, Magellan’s announcement of its plans to offer freed credit monitoring services to those affected likely speaks to TennCare exercising its right to impose these costs pursuant to the vendor’s non-performance.

As for the individuals who receive a notification from Magellan about the possibility of their data being exposed, the available legal remedies are slim to none. This is because HIPAA does not provide the victims of a breach the right to sue. However, this does not completely preclude Magellan from getting sued by individuals on other legal grounds.

Conclusion

While the Magellan incident should not come as a surprise, the devil is in the details. The timeline of the event provides an interesting window into the sort of legal and technical challenges healthcare organizations and their vendors face when dealing with information security. Healthcare breaches are on the rise, prompting Congress to zealously push for greater regulatory oversight over the protection of private health information. Companies would be wise to take note of this, for the failure to do so could prove costly.