Jury Awards EHR Vendor $940 Million in Trade Secrets CaseEpic Systems Alleged Consultancy Inappropriately Downloaded Documents
A federal jury's decision to award $940 million in damages to electronic health records software vendor Epic Systems, which had sued an India-based consultancy alleging theft of trade secrets, serves up important lessons regarding restricting access to all sensitive data, including intellectual property.
On April 15, a federal jury in Wisconsin ruled in favor of Epic on seven claims against Mumbai, India-based Tata Consultancy Services. Those claims included breach of contract, trafficking of passwords, fraud and misappropriation of trade secrets. The judgment includes $700 million in punitive damages and $240 million in compensatory damages pertaining to TCS's benefit in its wrongful use of Epic comparative analysis and other confidential information. TCS plans to appeal the ruling.
"This case is an important reminder for every company about the potential impact of security breaches that don't involve personal information," says attorney Kirk Nahra of the law firm Wiley Rein, who was not involved in the case. "In some ways, that's the difference between 'data security' and cybersecurity, with 'data security' focused on personal information and cybersecurity focused on overall system operations."
At the center of the suit were allegations by Verona, Wis.-based Epic, one of the largest U.S. EHR vendors, that TCS consultants - who under a 2005 contract between the two companies were permitted limited access to and use of Epic's software - downloaded thousands of confidential Epic documents to benefit "in the development or enhancement" of TCS's EHR software, Med Mantra.
In a statement, Tata Consultancy Services says it "did not misuse or derive any benefit from downloaded documents from Epic System's user-web portal. TCS plans to defend its position vigorously in appeals to higher courts." TCS adds that it "appreciates the trial judge's announcement from the bench that he is almost certain he will reduce the damages award."
The India-based consultancy says it "did not misuse or benefit from any of the said information for development of its own hospital management system 'Med Mantra,' which was implemented for a large hospital chain in India in 2009."
TCS did not immediately respond to Information Security Media Group's request for comment on the case.
An Epic spokesperson declined to comment at this time, saying "some matters in the case are still outstanding."
According to court documents, TCS, an IT services firm, had been contracted in 2005 by Kaiser Hospital Foundation - a licensed customer of Epic software - to provide services to support Kaiser's systems and networks.
In its lawsuit against TCS, Epic alleges that after it learned that Kaiser had contracted with TCS to provide IT services to Kaiser involving Epic software, Epic entered into an agreement directly with TCS "to allow certain TCS employees access to Epic training programs for purposes of providing consulting services to Epic's customers related to the implementation of 'Epic Program Property,' ... [which] included computer program object and source code and the Documentation for all of Epic's computer programs."
The lawsuit alleged the contract limited the use and access by TCS consultants of Epic's software to no other purposes "than in-house training of [TCS] employees to assist Epic customers in the implementation" of Epic software by licensed customers.
Several years after Epic and TCS signed the agreement, the lawsuit alleged, "Epic ... learned from an informant that TCS personnel [had] been fraudulently accessing Epic's UserWeb computer network, and that the information obtained through the unauthorized access into UserWeb was being used to benefit TCS's competing Med Mantra software."
In court papers, "UserWeb" is described as "a protected electronic workspace through which Epic provides training and other user materials, such as program manuals, to assist customers with their implementation and maintenance of Epic products."
The lawsuit contended "that an access credential for the UserWeb has been used in India to access Epic's UserWeb without authorization to download information from Epic's UserWeb, and that the purpose of the misconduct was to use information and documents related to Epic's leading software to benefit TCS's creation of and improvements to TCS's competing Med Mantra product."
The lawsuit also states: "After learning of the unauthorized and illegal downloading of Epic information by TCS personnel, and the apparent purpose of the misconduct, Epic evaluated its protected UserWeb and discovered that an account associated with a TCS employee who worked as a consultant for Kaiser in Portland, Oregon, and who worked on projects related to Epic's provision of software and services to Kaiser, had downloaded from Epic's UserWeb at least 6,477 documents accounting for 1,687 unique files. ... The access credentials of this individual were used to access the Epic UserWeb from an IP address in India during the time when the employee resided in Oregon."
Epic also alleged in its suit that TCS leaders in the U.S. and India "appear to be aware of and complicit in TCS's scheme to gain unauthorized access to Epic's UserWeb and information and misuse them for the benefit of TCS."
Lessons to Learn
The dispute between Epic and TCS spotlights the need for healthcare entities and their business associates to safeguard sensitive data, including information that falls outside the definition of protected health information under HIPAA.
"A key lesson here is that in healthcare, information security is not limited to electronic protected health information," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who was not involved in the case.
"While it is easy to develop 'HIPAA blinders,' organizations should consider addressing all confidential information in their information security program, including trade secrets and confidential employee information," he says. "When conducting an enterprisewide information security risk assessment, it may be valuable to include such information within the scope of the assessment, rather than limiting it to electronic protected health information. This may be especially important for organizations conducting significant research, which may be a bigger target than patient information for certain hackers."
Companies need to have an overall security plan that addresses all of their risks, Nahra, the attorney, stresses. "The laws and regulations tend to focus on personal data, but businesses need to be equally concerned about other kinds of data that they hold," he says.
When it comes to sharing data with third-party vendors, it's important to set strict limits on what data is accessible and for how long, says security expert Andrew Hicks, healthcare and life sciences practice leader of risk management consulting firm Coalfire. "Access should only be active when they're providing services," he says. "If they're on a month-long contract, that access should be terminated when that month is up, and reopened if necessary."