[ Wednesday, May 23, 2018 ]
Jeff [12:58 PM]
Obviously, this blog focuses on HIPAA breaches, which can cause big fines but rarely result in the payment of any actual damages by the parties who suffer the breach. That's because the patients rarely suffer financial loss.
When there's a breach involving theft of credit card data (like Target or Home Depot), most individuals whose card data is stolen don't suffer damages, because they can simply dispute the fraudulent credit card charges. It's either the vendor or the credit card company who gets stuck with the loss.
However, the credit card companies push potential responsibility for those liabilities back onto the vendors, in the form of the PCI DSS: that's the Payment Card Industry Data Security Standards. Every vendor who takes credit cards signs an agreement with the credit card company to meet these standards; if they don't, and there's a breach due to the vendor's failure, the credit card company can then recover its losses (fraudulent charges as well as costs of replacing cards) from the faulty vendor.
That's what is happening here
. Or at least that's what Chase and Paymentech are trying to do. Apparently Landry's is contesting either their own wrongdoing in the hack, or Chase and Paymentech's willingness to let the credit card companies themselves push the losses onto them. Will be interesting to see how this one plays out. And a good lesson for healthcare providers (and anyone else) who takes credit cards -- be careful out there, and make sure you meet PCI DSS.
Blogger: HIPAA Blog - Edit your Template