Who let the data out?

It’s 6:45 a.m. The overhead fluorescent lights are humming, and the scent of disinfectant is in the air. The boarded pets stir as they begin to wake up. They will want breakfast soon. It’s the start of another busy day at the vet clinic. 

As you shake your computer mouse to rouse the screen, you realize something’s wrong. The screen glitches. The appointment book is full today with surgeries scheduled back-to-back, and you’re trying to pull up the schedule before the first patients arrive. As the computer screen flickers back on, you’re greeted with a blinking message, demanding payment in exchange for your patient files. Your stomach drops. You click into the records system—nothing.  

The clinic feels unrecognizable. You can’t access the pets’ patient histories, vaccination records, or treatment plans. A routine morning turns into uncontrolled chaos as you scramble to piece together information from memory and scattered notes. Appointments are delayed. Surgeries are postponed. Frustrated owners fill the lobby. And a bad actor has your information about your pets as well as their human owners and your human employees.

Cyberattacks on veterinary clinics are increasingly common and can have serious consequences. Every clinic, no matter how small, should understand the legal and regulatory obligations tied to the data it holds so the clinic can take appropriate data security steps and stay compliant with the law.

Depending on your clinic’s location, data collection processes, and administrative operations, you may be required to comply with an array of privacy laws and regulations that govern how information is managed.

Pet information

Neither pet health information nor pet insurance information is protected by the Health Insurance Portability and Accountability Act. However, many states – including California, Colorado, Indiana, Kentucky, Oklahoma, and Texas – do have statutes or regulations that protect pet patient data. As an example, the Texas law prohibits veterinarians from disclosing any information about the care of an animal unless a limited and specific exception applies. Violations can result in reprimands and fines, and discipline and license-related sanctions for the veterinarian.

Pet “parent” information  

All 50 states impose breach notification laws that require businesses to provide timely notice to affected humans, and sometimes regulators, if personal information is compromised in a data breach. Generally, states define “personal information” to include names combined with Social Security Numbers, driver’s license or government-issued numbers, and certain financial information. Some states expand the definition to include digital signatures, health-related information, and birth dates. Violations of data breach notification laws can lead to fines, penalties, and costly lawsuits.

Payment information

Although the Payment Card Industry Data Security Standard is not a law, veterinary clinics should that directly process credit or debit card payments should comply. The Standard generally requires organizations that accept payment cards to implement a variety of cybersecurity protocols, including maintaining security policies, completing self-assessment questionnaires, and passing vulnerability scans. Non-compliance can lead to steep fines, reputational harm, and loss of processing privileges.

Employee information

Employee information, like any personal information, is protected under states’ general data protection statutes. Certain categories of employee data that a veterinarian may maintain (such as payroll records, Human Resources files, and benefits information) are frequently targeted for data theft. Theft of this data could trigger reporting obligations.

Again, veterinary clinics are not governed by HIPAA for simply providing health care services to animals. But if a veterinary clinic has a self-funded health plan for employees, the clinic may be required to comply with HIPAA standards as the plan administrator. In other words, the clinic should implement reasonable administrative, technical, and physical safeguards to protect the employee data that it handles.

If a breach occurs that affects health plan data, the clinic should follow HIPAA’s notification requirements. HIPAA also has regulatory reporting requirements, which often lead to investigations from the Office for Civil Rights within the U.S. Department of Health and Human Services. Data breaches of this kind can have serious financial consequences despite the fact that veterinary clinics are outside the human health care industry.

Keep your clinic data on a short leash

Routine data intake and storage can create significant legal and regulatory exposure. Veterinary practices must understand their obligations to safeguard the information they handle. They should also take proactive steps to prevent unauthorized access and respond appropriately if a breach occurs.

The Constangy Cybersecurity & Data Privacy Team helps businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.