Feds levy first fine for “small” data breach
Idaho hospice hit with $50,000 penalty for breach
The top enforcer of federal healthcare privacy and security laws levied a historic and comparatively hefty fine for a small breach of patient data on a stolen laptop computer. Data handlers also recently experienced a there-but-for-the-grace-of God moment as 14 hospitals in three hospital systems began telling the public that a prescription dispensing and information services company they had hired had exposed the personal and medical information of thousands of their patients—also via a stolen laptop.
Both breaches highlight the need to encrypt mobile devices such as laptops, thumb drives, disks and smartphones. The theft or loss of such devices accounts for more than two in five of all publicly reported breaches on a list kept by the Office for Civil Rights at HHS.
“We love encryption, and those who use encryption love it, too,” Office for Civil Rights Director Leon Rodriguez said. “In the event of a breach, using encryption assures that that information is unreadable, unusable or undecipherable, which, basically, would qualify that entity for the safe harbors under our breach notification rule.”
With some fanfare, Rodriguez’s office announced Jan. 2 it had reached a $50,000 settlement with Hospice of North Idaho, noting it was the first settlement involving a breach of fewer than 500 individuals’ records. There have been more than 60,500 of these lesser breach reports filed with the agency between September 2009, when the reporting mandate began, and Dec. 31, 2011, according to the Office for Civil Rights, and may exceed 80,000 when the 2012 breaches are annually reported this year, said Michael McMillan, an Austin, Texas-based healthcare security specialist.
On its website, the Office for Civil Rights has listed 525 larger breaches that exposed the records of more than 21.4 million people.
The Idaho hospice in Hayden, a suburb of Coeur D’Alene, reported the unencrypted laptop carrying patient information had been stolen from one of its fieldworkers in 2010. The civil rights office also cited the provider for not conducting an adequate risk analysis as required under HIPAA.
Meanwhile, Omnicell, a Mountain View, Calif., provider of prescription drug cabinets and related data services, notified more than 68,000 patients of the 919-bed University of Michigan Health System, Ann Arbor; 10-hospital Sentara Healthcare, Norfolk, Va., and two-hospital South Jersey Healthcare, Vineland, N.J., that their demographic, prescription drug and other clinical information were potentially exposed when a passwordprotected but unencrypted laptop was stolen from an employee’s car. Spokespersons for two of the hospital systems said the lack of encryption specifically violated contract arrangements.
An Omnicell statement said the company knows of no other breaches in its 20-year history and that it had “initiated immediate and definitive measures to prevent a similar incident from re-occurring.”
Rodriguez cautioned against reading too much into the Office for Civil Rights announcement about the Idaho settlement.
“I don’t think that anybody should take either that this particular case was the result of a focus particularly on small breaches or that it heralds an upcoming focus on our part on small breaches,” Rodriguez said. For all monetary-enforcement cases, the Office for Civil Rights focuses on those “that reveal longstanding and systemic failures to comply with the privacy and security rules,” he said.
The Office for Civil Rights has shifted over the past couple of years to an increased use of monetary settlements and penalties to achieve HIPAA compliance. But “even as our pace of monetary enforcement picks up, we’re still in the relatively early days of that program,” Rodriguez said. Thus far, the civil rights office has achieved HIPAA-related monetary settlements or court decisions totaling nearly $14.9 million with 11 entities, including five in 2012.
“What I would really underscore is, we investigate the compliance of the entity with a set of very common-sense processes that the privacy and security rule require,” he said. “The one that you’ll hear us talking about all the time is risk analysis.” The Office for Civil Rights recently completed 115 random audits of covered entities and “a good number of them” had not performed required risk analyses, Rodriguez said, and those that had done so typically used encryption.
For the past five years, the Healthcare Information Management and Systems Society has surveyed its members on healthcare data security issues. Over that period, the percentage of respondents whose organizations have conducted HIPAA-mandated security risk analyses has remained fairly flat at 90% for hospitals and 65% for medical practices, said Lisa Gallagher, its senior director for privacy and security.
In 2012, based on 303 survey participants, 64% of the respondents said their organizations use encryption for data in transmission and 59% encrypt data in storage.
Hospice of North Idaho installed encryption software on its 65 or so laptops immediately after the 2010 breach, according to Sue Howlett, director of information technology, who was hired right after the incident.
“It’s not hard at all,” Howlett said. “It’s not expensive. I understand why they [Office for Civil Rights] want it done. If you look at the threat ecosystem out there right now, it’s very bad. If you want personal information, we’re a target-rich environment. All of healthcare is.”
Source: HHS Office for Civil Rights