Polsinelli - Health Care


April 2014


You're Not Immune: Hackers Target Health Care Providers of All Shapes & Sizes







For more information about this e-Alert, please contact:


Kristen B. Rosati




Lisa Acevedo




Erin Dunlap




Emily Wey




Jennifer Evans




Rebecca Frigy




Lisa Katz




Kathleen D. Kenney




Lindsay Kessler




Lauren Z. Groebe




Brett Heger




Health Care Practice Leaders:


Matthew J. Murer

Practice Area Chair




Jane E. Arnold

Practice Area Vice Chair




Colleen M. Faddick

Practice Area Vice Chair





To learn more about our Health Care practice, or to contact one of our Health Care attorneys, click here.


View Polsinelli documents on JD Supra  
LinkedIn Twitter Facebook Inside Law Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.



For health care providers, exposure to cyberattacks is becoming a stark reality. Findings in a recently released Health Care Cyberthreat Report by cybersecurity leaders confirmed the health care industry's vulnerabilities for cyberattacks. The Report attributed such vulnerabilities to a lack of progressive cybersecurity strategies and controls and the increasing amount of electronic protected health information (ePHI) being exchanged over the Internet.

Just days prior to the Report's release, The Wall Street Journal reported that a national cybersecurity firm discovered information from providers on a popular website hackers use to post data, 4shared.com. The data included PHI and information that could be used to access provider networks. A search by The Wall Street Journal on 4shared.com found compromising information from three New York nursing homes, which reflects how cyberattacks can have compounding effects when information is disseminated beyond the hackers.

Key takeaways of the Report include:

  • Hackers not only obtained patient information but also gained access to devices within the organization. Compromised areas included radiology imaging software, video conferencing and digital video systems, and security systems such as VPNs, firewalls, and routers.
  • Hackers did not discriminate when choosing their targets. Among the Report's sample, compromised entities included small and large health care providers (including physicians and health systems), medical supply companies, health plans and clearinghouses, pharmaceutical companies, at least one state human services agency, and other health care related organizations.
  • When implementing new security systems, most network administrators properly changed the factory defaults, but some overlooked other devices attached to the network. These devices can include printers or fax machines, which PHI inevitably crosses at some point.
  • Health care providers cannot ignore the cost associated with unauthorized access of ePHI through cyberattacks. In addition to fines or settlements for HIPAA violations, the Report indicated that health care organizations pay an estimated $233 per compromised record for other related expenses, such as notifying victims, incident handling, credit monitoring, and projected lost opportunities.

What Providers Should Know

  • Unauthorized access to ePHI translates into HIPAA violations for health care providers, other covered entities and business associates. With an increasing amount of health data stored online, covered entities and business associates cannot ignore the threat that a lack of cybersecurity poses. Health privacy and security officers should identify any points of access that could leave providers vulnerable to cyberattacks and act accordingly to minimize their risk.
  • As the volume of ePHI stored online and susceptible to hackers increases, so do the costs associated with cyberattacks. In a recent breach due to a website glitch that exposed the PHI of approximately 612,000 individuals, health care insurer WellPoint paid almost $2 million to settle potential HIPAA violations. Considering other costs associated with such a sizable breach, the Report estimated that potential expenses could excel $142,689,000. Although not attributed to a cyberattack, the WellPoint breach nonetheless illustrates the potential liability that health care organizations can incur when the security of ePHI is compromised online.
  • Be aware that medical equipment like dialysis or diagnostic imaging machines that are administered or updated remotely can expose a health care provider to additional cybersecurity risks if the data these machines process is not protected properly. Hackers can gain access to any ePHI stored on the device, use the device as a point of entry into the provider's network, or even cause physical harm to patients by hacking into the device.
  • Assessing the true security risks that health care providers face goes beyond evaluating compliance with HIPAA and similar state laws. Providers may be compliant with the law, yet still have security risks that need attention. Compliance and security are not one and the same.

For More Information

To access the SANS Institute Report, click here.

To access The Wall Street Journal article, click here.

For questions on the contents of this alert, contact an attorney listed within this communication.













Atlanta  Chattanooga  Chicago  Dallas  Denver  Edwardsville  Jefferson City  Kansas City  Los Angeles  New York
Overland Park   Phoenix  St. Joseph  St. Louis  Springfield  Topeka  Washington, D.C.  Wilmington  








real challenges. real answers.SM  
Serving corporations, institutions, entrepreneurs, and individuals, our attorneys build enduring relationships by providing legal counsel informed by business insight to help clients achieve their objectives. This commitment to understanding our clients' businesses has helped us become the fastest growing law firm in the U.S. for the past five years, according to the leading legal business and law firm publication,
The American Lawyer. With more than 700 attorneys in 18 cities, we work with clients nationally to address the challenges of their roles in health care, financial services, real estate, life sciences and technology, energy and business litigation. The firm can be found online at www.polsinelli.com. Polsinelli PC. In California, Polsinelli LLP.







To update your email preferences, please contact Kim Auther at KAuther@polsinelli.com. To opt out of these communications, click the unsubscribe link below.

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2014 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.