State AGs Data Breach Settlement Reinforces the Importance of Patch Management

By Bill O’Connor, CISSP, CIPP/US

A recent settlement between Nationwide Mutual Insurance Company and attorneys general from 32 states and the District of Columbia (the “Attorneys General”) over a 2012 data breach reinforces the importance of patch management.

On August 9, 2017, the Attorneys General and Nationwide, on behalf of itself and its wholly-owned subsidiary, Allied Property & Casualty Insurance Company (collectively, “Nationwide”), entered into an Assurance of Voluntary Compliance that requires Nationwide to, among other things, pay $5.5 million to the Attorneys General. The settlement is in response to an October 3, 2012 data breach experienced by Nationwide that resulted in the loss of sensitive personal information for 1.27 million consumers. The breach affected potential customers who were seeking insurance quotes from Nationwide. The sensitive personal information included driver’s license numbers, Social Security numbers, and Nationwide internal credit-related scores.

The 2012 data breach was alleged to be the result of Nationwide’s failure to apply a critical security patch that led to hackers exploiting a vulnerability in Nationwide’s web hosting software. After the breach occurred, Nationwide addressed the software vulnerability by applying the previously unapplied software patch. Nationwide admits it experienced a data breach, but denies any wrongdoing related to the breach. Shortly after the data breach occurred, Nationwide notified the affected consumers and offered free credit monitoring and $1 million of free identity theft insurance coverage with no deductible.

In addition to the $5.5 million payment, the settlement – titled as an “Assurance of Voluntary Compliance” – requires Nationwide to complete additional tasks, which may or may not have already been completed, such as:

  • Maintaining an online disclosure statement informing potential customers that it retains a consumer’s personal information even if the consumer does not become an insured
  • For a period of three years:
    • Appoint an individual to the role of Patch Policy Supervisor to maintain, review and revise Nationwide’s patch management policies and procedures
    • Appoint an individual to the role of Patch Supervisor to monitor and manage the installation of available patches
    • Maintain and, on at least a semi-annual basis, update an inventory of all covered systems
    • Regularly review and update its Incident Management Policy and Procedures
    • Deploy and maintain a system management tool to identify available patches on a near real-time basis and scan covered systems to identify unapplied patches
    • Implement processes and procedures to notify Nationwide’s patch management personnel about available patches
    • Implement processes and procedures to evaluate the severity of available patches and prioritize any responsive mitigation actions, and document in writing the applicable risk severity and actions taken
    • Purchase and install an automated feed of common vulnerabilities to Nationwide’s intrusion detection/intrusion prevention systems and security information and event management technology
    • On at least a semi-annual basis, perform an internal patch management assessment of its covered systems
    • On at least an annual basis, hire an outside, independent provider to perform a patch management audit of its covered systems
  • One year after the settlement, certify to the Attorneys General that it is in compliance with these requirements

All organizations that collect personal information from consumers should take heed of the requirements set forth in the Nationwide settlement. These requirements reinforce the importance of implementing an effective patch management program. Failure to apply critical security patches can not only lead to data breaches, but can also make organizations vulnerable to ransomware attacks (as seen by the recent WannaCry ransomware attacks on systems that had not applied an available Microsoft security patch).

If you have any questions or concerns about your organization’s patch management program, or other data privacy and cybersecurity questions, please reach out to Bill O’Connor, CISSP, CIPP/US, or any member of Baker Donelson’s Data Protection, Privacy and Cybersecurity Team, and we will be happy to assist.

About the Author

HBMA Washington Report – July Issue

Washington Report – July, 2017
(Covers activity between 7/1/17 and 7/31/17)
Bill Finerfrock, Matt Reiter, Nathan Baugh, Josh Mendelson, Carolyn Bounds

Washington Report – July Issue

  • Senate Fails to Pass ACA Repeal and Replace Legislation
  • CMS Releases 2018 Medicare Physician Fee Schedule Proposed Rule
  • Ways and Means Oversight Subcommittee Holds Medicare Program Integrity Hearing
  • Congress Goes Back to the Drawing Board after Inability to Pass ACA Repeal/Replace Bill
  • Medicare Trustees Report Shows Slightly Improved Outlook for Medicare Trust Fund
  • Brenda Fitzgerald M.D., Appointed as CDC Director
  • HHS Healthcare Fraud Takedown Nets 412 Offenders
  • CMS Issues Status Report on 2016 ACA Risk Adjustment Programs
  • CMS Transmittals

CMS Shares Thoughts Behind the MACRA Proposed Rule MIPS Changes

The Healthcare Business Management Association (HBMA) Government Relations Committee was fortunate to again have the opportunity to meet with CMS directors, deputy directors and Senate Ways and Means Staff the day the proposed rule was published.  As I think we all have recognized, the most significant changes were intended to help small providers and practices.  The proposed threshold increases in patient volume or dollars have in effect exempted many providers from MIPS participation.  The ability to form virtual groups is also intended to allow maximum flexibility.  Those are positive steps in recognition of the challenges MIPS presents.

In addition, many new options are proposed.  For example, the ability to report 2018 quality measures via multiple methods as opposed to only claims, registry, etc.  More measures have been added to increase successful reporting choices and opportunities for participating providers.

While these increased options and choices may sound good at first blush, the fact is that complexity and therefore cost for providers also increases.  The thoughts and work behind the changes are well intentioned.  However, “One man’s idea of perfect order is another man’s chaos.”  Dean Koontz

Some of the most basic informed decisions providers must make are whether they want to work toward a bonus, remain revenue neutral, or accept a penalty.  Accurately performing those projections based on specialty and practice specific variables requires increasingly sophisticated software support and data analytics.  The unfortunate fact is providers can make best efforts to do everything right and still not be guaranteed of a bonus or even the amount of the bonus.  Because the program must be revenue neutral, for every winner there must be a loser.  One observation is the fact that, “most providers will be forced to the middle”.  And that is the crux of the problem with MIPS, in my opinion.  How much money and work will providers invest when there is no return on that investment?  We already know a very large percentage of eligible providers never participated in PQRS.  Are we really going to accept that none of those physicians or practices is providing quality care?  Are we really going to accept that every physician or practice that does participate is providing the best quality care?  I hope not, for that is a false belief that reporting data is the same as providing quality care.

The CMS intent is noble, to ensure all beneficiaries receive high quality care at a reasonable cost.  The methodology to achieve that is flawed.  Adding myriad options that simply increase cost and complexity for physicians and their representatives, with no return on those investments, continues to whittle away at the precious time physicians have for their real job-patient care.  That’s where quality happens, not in data reporting.  Let’s help physicians get back to what they do best by removing the overwhelming administrative burdens.  Then we will see real and meaningful quality.


Holly Louie, RN, CHBME, is the compliance officer for Practice Management Inc. and was the 2016 HBMA president.