By Elizabeth Snell

August 18, 2015 - A second class action lawsuit has been filed against the Office of Personnel Management (OPM) and the Department of Homeland Security (DHS), following the large scale OPM data breach that took place earlier this year.

Judge Teresa J. McGarry filed the lawsuit against the two governmental agencies, as she received a data breach notification letter following the OPM security incident. McGarry stated in the lawsuit that she has had at least two background investigations conducted as a condition of her appointment as an administrative law judge. Additionally, she has been interviewed for several background investigations. These two examples are why her sensitive information was potentially compromised in the OPM data breach.

On June 4, OPM announced that it was the victim of a cyber attack, compromising millions of federal applicants’ personally identifiable information (“PII”), records, and sensitive information. However, it was not long before a second data breach was discovered, according to the lawsuit.

“On July 9, 2015, OPM issued a second news release confirming that a significantly greater number of individuals were affected by a ‘separate but related’ cyber security breach,” the lawsuit explains. “OPM announced that records of 21.5 million individuals had been stolen, including, ‘identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal acquaintances; health, criminal and financial history; and other details.’”

Among other allegations, McGarry claims that OPM had weak cybersecurity measures, and that it continually failed to meet Federal Information Security Management Act (FISMA) guidelines:

[The Office of Inspector General] found that OPM was not in compliance with several standards promulgated under 40 U.S.C. § 11331, including in the areas of risk management, configuration management, incident response and reporting, continuous monitoring management, contractor systems, security capital planning, and contingency planning.

OPM and DHS are also charged with with violating the Privacy Act of 1974 and the Administrative Procedure Act. The case was filed in the US District Court of Colorado.

While medical information was only one part of information that was potentially compromised in the OPM data breach, there are several important takeaways for healthcare organizations. One of the larger issues in the security breach was that OPM did not have multi-layered security, Institute for Critical Infrastructure Technology (ICIT) Co-founder and Senior Fellow Parham Eftekhari explained to HealthITSecurity.com last week.

"Hospitals need to change their mindset from 'we're going to keep the bad guys out' to 'we're going to put perimeter defenses in place to try and keep the bad guys out,'" Eftekhari said. "But for those insider threats that do occur, and the malicious actors – whether they're nation states or criminal groups – who do successfully penetrate perimeter defenses and go after the data, what internal defenses are in place to detect them as early as possible and to then stop them before they exfiltrate the data?"

Having good governance policies is also essential, Eftekhari said. Prior to the OPM data breach, ICIT had identified that the agency had lackluster governance policies.

"These are not new concepts,” Eftekhari said. “Governance is a basic idea that unfortunately a lot of organizations still don't get down."