Healthcare mergers, acquisitions, and joint venture partnerships have surged in recent years, driven by increasing opportunities to innovate, improve quality, and reduce costs. The advancement of new business models and consolidated platforms also have played an important part in the surge.
Over the last decade, strategic acquirers and private equity investors have integrated thousands of HIPAA covered entities and business associates into their portfolios. Through these experiences, they have become much better educated on the regulatory and reputational risk counterparties bring as a result of a privacy or security breach.
An all-time high 40 million healthcare records were breached in 2019. In 2020, ransomware attacks against healthcare organizations have grown to the highest levels of all time. Reading about these attacks in the daily headlines, investors often think “that won’t happen to us” – until it does. Any investor who has lived through a nightmare breach scenario within its portfolio is all too familiar with the associated costs, business disruption, and potential regulatory scrutiny.
In addition to future cyberattacks and privacy breaches, buyers need to be concerned about liabilities they may be assuming as a result of the seller’s non-compliance with HIPAA or failure to exercise the required duty of care in cybersecurity practices. It is not uncommon that breaches go undetected and unreported for months or even years, and thus they may not be identified in the diligence process.
While the seller will typically be responsible for a breach prior to close, determining and proving when a breach first occurred is often not straightforward, even with the support of expensive forensic experts. If the breach was ongoing and unidentified for some time after the purchase, it becomes an even more complicated affair. Additionally, federal and state regulatory actions and civil lawsuits typically follow for years after a breach, with the buyer left managing an expensive and distracting situation. Failures of the past may weigh heavily on the organization’s future growth trajectory.
Organizations that enter into joint ventures, make minority investments, or establish business partnerships also should take note of potential privacy and security liabilities and business ramifications that may occur from a counterparty’s failure to comply with HIPAA or from its lack of due care in cyber risk management. Companies that partner with organizations that are responsible for safeguarding protected health information (PHI) should assess and limit their exposures in the event the other party fails to implement reasonable and appropriate security and privacy practices.