The U.S. Department of Health and Human Services (HHS) released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status.

HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most health care providers, and their business associates (those who obtain protected health information in performing services for a covered entity).  The Privacy Rule does not apply to other individuals and entities.   Employers, schools, stores, restaurants, and many others may request that an individual disclose whether he or she has been vaccinated without violating the Privacy Rule.  Thus, schools may request students to disclose their vaccination status.  Businesses may request that information from their patrons.  Employers may request that information from their employees.  None of these requests violate HIPAA’s Privacy Rule.    However, these entities must comply with other applicable state and federal laws that impose restrictions on the design and implementation of COVID-19 vaccination requirements and requirements that apply to the maintenance and storage of information related to individuals’ vaccination status.

If an organization is considered a covered entity, such as a health care provider or business associate, the organization will generally be treated like other organizations when acting as an employer.  For example, a hospital may request information about the vaccination status of an employee.  When the organization acts as a covered entity or business associate, it may still collect vaccination information.  For example, doctors may collect that information from their patients (and the patients may provide it).  But the organization will be subject to HIPAA in its handling of the information.  As a result, a covered entity may disclose an individual’s vaccination status only if it is expressly permitted or required by the Privacy Rule or if the disclosure is authorized by the individual.

The guidance describes certain situations when disclosure is permitted without authorization.  For example, a health care provider may disclose an individual’s vaccination status to a health plan for payment or to a public health authority or vaccine manufacturer to report appropriately on the quality, safety or effectiveness of the COVID-19 vaccine.  In certain situations, as when an employer engages a health care provider to assist in medical surveillance of its workplace pursuant to OSHA requirements, a health care provider may disclose an individual’s vaccination status to the employer, although even then the individual must be notified of the disclosure.

If the disclosure is not expressly permitted by the Privacy Rule, a health care provider may not disclose an individual’s vaccination status without his or her written authorization.  For example, a health care provider could not generally disclose an individual’s vaccination status to entertainment and sporting venues, airlines, cruise ships, resorts or hotels, although they may ask individuals – and individuals may provide – this information.

On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources. Continue Reading FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices

OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware

First Post in a Two-Part Series on Recent OFAC Designations

On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.”  Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation.  The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus.  The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.

OFAC has been busy.  Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation:  OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force.  This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.

The Blacklisting of SUEX

According to OFAC, over 40% of SUEX’s known transaction history is associated with illicit actors.  As a result, SUEX is prohibited from transacting with U.S. persons or transacting within the United States, and financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.  OFAC issued the designation pursuant to Executive Order (E.O.) 13694, entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” and which was initially signed by President Barrack Obama in 2015. We previously have blogged about the ability of OFAC in other contexts to block assets and prohibit financial transactions with designated individuals and entities herehere, and here.

SUEX operates in Russian and is registered in the Czech Republic.  The designation specifically blacklisted 25 blockchain addresses used by or associated with SUEX.  Arguably, the designation reflects a tactic by the U.S. government to turn to sanctions, a tool that the government may employ relatively easily and swiftly, in order to punish illicit foreign actors that may be very difficult to prosecute in U.S. courts, at least without a considerable expenditure of effort, time and resources.

According to the press release issued by the U.S. Treasury Department, OFAC’s designation of SUEX is occurring against the backdrop of an increase in the scale, sophistication, and frequency of ransomware attacks.  Ransomware (on which we previously have blogged herehere and here) is a form of malicious software designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.  The Treasury Department noted that “[t]he U.S. government estimates that these payments represent just a fraction of the economic harm caused by cyberattacks, but they underscore the objectives of those who seek to weaponized technology for personal gain[.] . . . [T]he disruption to critical sectors, including financial services, healthcare, and energy, as well as the exposure of confidential information, can cause severe damage.” According to the FBI, ransomware payments reached over $400 million in 2020, which is more than four times the amount of ransomware payments made in 2019.  Ransomware schemes unfortunately appear to have proliferated even more in 2021, including the notorious cyberattack on Colonial Pipeline, which resulted in significant gasoline supply shortages in the U.S.

The press release further observed that virtual currencies, while frequently used for lawful activity, also can be used for sanctions evasion, ransomware schemes, and other cybercrimes through the use of peer-to-peer exchangers, mixers, and exchanges.  In some cases, malicious actors exploit virtual currency exchanges, but other times, the virtual currency exchange allegedly facilitates illicit activities for its own illicit gains – which is what OFAC has alleged in regards to SUEX.

The Treasury Department emphasized that many agencies across the globe, including the U.S. Financial Crimes Enforcement Network, the Group of Seven and the Financial Action Task Force, are attempting to address ransomware and ransomware-related money laundering, and their nexus with the illicit finance risks posed by virtual assets.  The Treasury Department encouraged readers to visit, touted as a “one-stop resource for individuals and organizations of all sizes to reduce their risk of ransomware attacks and improve their cybersecurity resilience.”  OFAC’s Frequently Asked Questions on Virtual Currency can be found here.

OFAC Advisory on Ransomware

The SUEX designation was accompanied by OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Advisory”), which “describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant U.S. government agencies, including OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.”  Of course, many ransomware schemes indeed have a sanctions nexus, which puts the victim in a potentially untenable spot, particularly because a de facto sanctions nexus may not be entirely clear to the victim.  Regardless of the fact that trying to obtain an OFAC license to make an otherwise prohibited payment would take much more time than is even remotely practical when dealing with the exigencies imposed by a ransomware attack, OFAC indicates in the Updated Advisory that “license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will continue to be reviewed by OFAC on a case-by-case basis with a presumption of denial.” (emphasis added).

After describing a list of alleged malicious cyber actors designated by OFAC for perpetrating or facilitating ransomware attacks, including the aptly-named Evil Corp, the Updated Advisory stresses that the U.S. government “strongly discourages” the payment of cyber ransom, which:

. . . . may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves.

The Updated Advisory then provides an ominous reminder that OFAC may impose civil penalties for sanctions violations based on strict liability – i.e., a company can be held liable even if it did not know or have reason to know that it was engaging in a transaction that was prohibited by OFAC.  “Enforcement responses range from non-public responses, including issuing a No Action Letter or a Cautionary Letter, to public responses, such as civil monetary penalties.”

OFAC offers two basic paths to minimizing the potential penalties posed by this dilemma.

First, financial institutions and other companies should implement a risk-based compliance program to mitigate exposure to sanctions-related violations.  The program should account for the risk that a ransomware payment may involve a Specially Designated National (“SDN”) or blocked person, or a comprehensively embargoed jurisdiction (such as North Korea).  Effective cybersecurity measures likewise can mitigate any OFAC enforcement response; such measures can include “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols[.]”  The Updated Advisory specifically notes that financial institutions covered by the Bank Secrecy Act also will have related anti-money laundering obligations.

Second, “OFAC strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible to avail themselves of OFAC’s significant mitigation related to OFAC enforcement matters and receive voluntary self-disclosure credit in the event a sanctions nexus is later determined.”  The Updated Advisory states that OFAC will be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) if the victim reports the ransomware attack to OFAC, law enforcement and other relevant agencies as soon as possible and provides cooperation during and after a ransomware attack.  This “encouragement” suggests that in practice any ransomware attack should be reported to OFAC and other agencies, because it ultimately may turn out to be the case that the attack had a sanctions nexus.

Even if strong cyber-security measures, self-reporting and cooperation with the government leads to a non-public response by OFAC, a lurking issue remains: what enforcement risks face a company that finds itself to be the victim of a second attack involving a sanctions nexus?

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On Monday, the White House announced the nomination of Alvaro Bedoya to serve as FTC Commissioner.  Mr. Bedoya is slated to fill the seat on the Commission currently held by Rohit Chopra, which Mr. Chopra will vacate upon his confirmation as CFPB Director.  Mr. Chopra is expected to be confirmed as CFPB Director before the end of the year.

If confirmed, Mr. Bedoya would join the two other Democratic FTC Commissioners, Lina Khan, Chair of the Commission, and Rebecca Slaughter, and allow Democrats to maintain a 3-2 majority.

Mr. Bedoya is currently a law professor at Georgetown University Law School, where his research has focused on how technologies such as facial recognition have led to discrimination against immigrants and people of color.  He was the founding director of Georgetown University’s Center on Privacy & Technology.  Mr. Bedoya also served as the first Chief Counsel for the Senate Judiciary Committee’s Subcommittee on Privacy, Technology & the Law.  As a result, some observers view Mr. Bedoya’s nomination as a precursor to greater FTC focus on potential discrimination arising from the use of  artificial intelligence and other technological innovations as well as privacy considerations for both consumer protection and competition among Big Tech companies.

On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches. Continue Reading Federal Court Holds that Cloud Service Provider is Subject to CMIA

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021.  This settlement activity followed a few other significant HIPAA developments that occurred in January of 2021, including HHS’s release of proposed regulations to the HIPAA Privacy Rule and a Fifth Circuit Court of Appeals opinion vacating an OCR penalty of approximately $4.44 million for a HIPAA security breach involving the University of Texas MD Anderson Cancer Center (MD Anderson).  The Fifth Circuit took issue with the standards that OCR (and an administrative law judge) had applied in assessing the penalty.  It found that MD Anderson had implemented a mechanism for the encryption of data, even if certain employees did not follow that mechanism.  It held that the government had not demonstrated that MD Anderson made any affirmative disclosure of protected health information to an outside person.  The Court explained that even if the government had established that MD Anderson was liable, the Court would have lowered the penalties substantially, finding that the amount assessed exceeded applicable limits.  Although it is unclear how the Fifth Circuit’s opinion will affect OCR’s enforcement activity (or the willingness of parties to settle) going forward, this year’s settlements demonstrate that OCR has remained active in enforcing HIPAA’s rules.

OCR’s first settlement of 2021 was also its largest of the year to date.  OCR learned of the breach when Excellus Health Plan reported to OCR that cyber-attackers had installed malware and gained unauthorized access to its systems from December 2013 to May 2015.  The breach resulted in the impermissible disclosure of more than 9.3 million individuals’ protected health information, including their social security numbers, bank account information, health plan claims, and treatment information.  HHS investigated the breach and alleged that Excellus Health Plan did not conduct a thorough analysis of the risks and vulnerabilities of the electronic protected health information (ePHI), implement security measures to mitigate risks and implement procedures to regularly review information system activity records.  Excellus Health Plan agreed to pay a resolution amount of $5.1 million and entered into a Corrective Action Plan, requiring it to perform a comprehensive risk analysis to identify any other potential risks or vulnerabilities to its systems maintaining ePHI, prepare written policies to address the monitoring of suspicious activity and submit the policies to HHS for review, provide training to employees on such policies and submit to monitoring by HHS for a period of two years.  OCR’s analysis of the severity of the potential violations and determination of the resolution amount appears to have been heavily influenced by the length of time that the breach went undetected, as the director of OCR commented: “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries.”  This settlement serves as a reminder that covered entities should be vigilant in reviewing activity within their systems so they may respond quickly if a breach does occur.

OCR has also demonstrated a continuing commitment to enforce the obligation to provide individuals with timely access to their health information upon request.  OCR entered into six separate Resolution Agreements between January and June of 2021, amounting to 19 total actions under its Right of Access Initiative.  All six settlements involved health care providers that failed to provide patients’ medical records in a timely manner, ranging from a 6-month delay to a complete failure to provide the requested documents.  Each entity entered into a Resolution Agreement and Corrective Action Plan with OCR, with resolution payments ranging from $5,000 – $200,000.  Based on the limited information available in the Resolution Agreements, it is unclear how the monetary resolution amounts were set.  They may have been based on a combination of factors such as the time that passed between the initial request and the date the entity provided the medical records, the number of complaints that HHS received with respect to each entity, or the size and sophistication of each entity.  Although the settlement amounts for breaches of the access to information requirements tend to be less than those involving an actual breach of privacy, the Corrective Acton Plans still require the entities to undertake significant compliance measures, including revising internal policies and procedures for HHS review, providing training to all employees with job duties that relate to processing these requests, and submitting to monitoring by HHS for up to two years.  These Resolution Agreements and accompanying press releases indicate that HHS will continue pursuing its Right of Access Initiative, demonstrating the importance of health care entities to maintain sufficient policies to ensure timely, comprehensive and accurate responses to patients’ requests for medical records.

With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a press conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information. Continue Reading California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out

Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications.  In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).  The Rutter’s decision is a reminder that although courts had generally found such documents protected by the attorney-client privilege and/or work product doctrine, the tide may be changing.

On May 29, 2019, Rutter’s received two security alerts which detailed “the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  The same day, Rutter’s engaged outside counsel to advise on its potential notification obligations.  Outside counsel then engaged a forensic investigator to perform an analysis to determine the character and scope of the incident.  The parties all assumed that the investigation, including its ultimate report and the communications made in furtherance thereof, would be protected by the attorney-client privilege and/or the work product doctrine.  The plaintiffs moved to compel, and the federal magistrate judge granted the motion.

With respect to the work-product doctrine, the Court explained that the doctrine only applies where impending litigation is the “primary motivating purpose behind the creation of the document.”  The Court then held that it was clear from the contract that “the primary motivating purpose” behind the forensic investigation was not to prepare for the prospect of litigation—it was to determine whether data was compromised, and the scope of such compromise if it occurred.  The Court also relied on the testimony of Rutter’s corporate designee and the fact that outside counsel did not receive the report before Rutter’s.   Based on these facts, the Court held that the work product doctrine did not apply.

With respect to the attorney-client privilege, the Court explained that a “communication may only be privileged if its primary purpose is to gain or provide legal assistance.”  The Court further explained that for privilege to apply, the attorney must be “acting as a lawyer,” meaning that the lawyer “must guide future conduct by interpreting and applying legal principles to specific facts.”  The Court emphasized that privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.  Based on that law, the Court found that Rutter’s had not demonstrated that the forensic report and related communications involved “presenting opinions and setting forth . . . tactics rather than discussing facts.”  Specifically, the Court noted that only one portion of the forensic vendor’s services was not inherently factual—working with Rutter’s IT personnel to identify and remediate potential vulnerabilities, which the Court found was not providing legal advice.

The Rutter’s opinion casts further doubt on whether courts will extend protection over data breach forensic investigation reports and communications.  However, like the Capital One and Clark Hill cases, the Rutter’s opinion leaves open the possibility for protection if certain facts occur—some of which companies and outside counsel can control to a degree.  Accordingly, although confusion and chaos can be pervasive at the beginning stages of a data breach, companies and outside counsel should take steps to build a record that may help them secure privilege down the road.

On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which was enacted in January 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.

Continue Reading New York City’s Biometric Identifier Information Law Takes Effect

Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation. The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase. Continue Reading Ballard Spahr Partner, Phil Yannella, Authors Book on Data Breach and Privacy Litigation