The beginning of the year relays news that Omnicell, a medication management system provider, has prevailed over a lawsuit. The case was filed against the company in December 2012 for the loss of a laptop computer with sensitive data. The laptop was not protected with disk encryption software, resulting in the breach of PHI for over 50,000 people, per phiprivacy.net.
Omnicell Wins by Default
The case, Polanco v. Omnicell, was dismissed without prejudice for the lack of a cognizant harm, the reason usually given for instances like these. In layman’s terms, as far as I can tell, it means that the plaintiff wasn’t able to show that he (or she) actually suffered some kind of harm that the courts had the power to remunerate in one way or another.
For example, if someone dents your car, you can sue that person, present evidence, and if you win, the courts can rule that you be made whole (i.e., have the defendant fix the dent). The problem with data breaches is that, short of showing conclusive proof that you were victimized by identity thieves, it’s always debatable whether you were harmed in any way: how exactly are you victimized by the loss of a laptop with your data alone?
The answer: you’re not. At least, that’s been the answer so far by pretty much any US court. There have been a couple of appellate decisions here and there that detracts a bit from this train of thought, but said detraction is a mere drop in an ocean of dismissals.
Using Disk Encryption Still a Better Option
A successful defense against a lawsuit is always good news for the company getting sued. And yet, it’s not such a happy piece of news. After all, the company could have easily not have been sued in the first place.
How? Full disk encryption. The use of encryption is widely accepted as one of the best ways to protect data if a laptop computer goes missing, which is what happened in Omnicell’s case (a laptop was stolen from an employee’s car). Had FDE been used, the plaintiff wouldn’t have had a real reason for suing in the first place. Even if the plaintiff were one of the aggressively lawsuit-happy people, there’s a good chance that lawyers would have been loath to take the case, knowing that they didn’t really have one.
Also, consider that, even if Omnicell successfully defended itself against a civil suit, it still has to face an investigation from the OCR – an investigation that will examine not only the encryption status of Omnicell’s laptops but other HIPAA compliance measures, including the existence of documented policies, contingency plans, and other administrative, non-technical HIPAA requirements.
Or, consider the risk that the OCR may find a reason to hand out a fine (HIPAA allows monetary fines of up to $1.5 million – and the OCR has handed out the maximum penalty a number of those in the past couple of years).
There are other considerations as well: negative brand association, customer churn, increased cost of opportunities, etc.
It really does not make sense to forego encryption software if PHI is involved in some way.
Related Articles and Sites: