Feds levy first fine for “small” data breach

Idaho hospice hit with $50,000 penalty for breach

Modern Healthcare - - NEWS - Joseph Conn

The top en­forcer of fed­eral health­care pri­vacy and se­cu­rity laws levied a his­toric and com­par­a­tively hefty fine for a small breach of pa­tient data on a stolen lap­top com­puter. Data han­dlers also re­cently ex­pe­ri­enced a there-but-for-the-grace-of God moment as 14 hos­pi­tals in three hospi­tal sys­tems be­gan telling the pub­lic that a pre­scrip­tion dis­pens­ing and in­for­ma­tion ser­vices com­pany they had hired had ex­posed the per­sonal and med­i­cal in­for­ma­tion of thou­sands of their pa­tients—also via a stolen lap­top.

Both breaches high­light the need to en­crypt mo­bile de­vices such as lap­tops, thumb drives, disks and smart­phones. The theft or loss of such de­vices ac­counts for more than two in five of all pub­licly re­ported breaches on a list kept by the Of­fice for Civil Rights at HHS.

“We love en­cryp­tion, and those who use en­cryp­tion love it, too,” Of­fice for Civil Rights Di­rec­tor Leon Rodriguez said. “In the event of a breach, us­ing en­cryp­tion as­sures that that in­for­ma­tion is un­read­able, un­us­able or un­de­ci­pher­able, which, ba­si­cally, would qual­ify that en­tity for the safe har­bors un­der our breach no­ti­fi­ca­tion rule.”

With some fan­fare, Rodriguez’s of­fice an­nounced Jan. 2 it had reached a $50,000 set­tle­ment with Hospice of North Idaho, not­ing it was the first set­tle­ment in­volv­ing a breach of fewer than 500 in­di­vid­u­als’ records. There have been more than 60,500 of th­ese lesser breach re­ports filed with the agency be­tween Septem­ber 2009, when the re­port­ing man­date be­gan, and Dec. 31, 2011, ac­cord­ing to the Of­fice for Civil Rights, and may ex­ceed 80,000 when the 2012 breaches are an­nu­ally re­ported this year, said Michael McMil­lan, an Austin, Texas-based health­care se­cu­rity spe­cial­ist.

On its web­site, the Of­fice for Civil Rights has listed 525 larger breaches that ex­posed the records of more than 21.4 mil­lion peo­ple.

The Idaho hospice in Hay­den, a sub­urb of Coeur D’Alene, re­ported the un­en­crypted lap­top car­ry­ing pa­tient in­for­ma­tion had been stolen from one of its field­work­ers in 2010. The civil rights of­fice also cited the provider for not con­duct­ing an ad­e­quate risk anal­y­sis as re­quired un­der HIPAA.

Mean­while, Om­ni­cell, a Moun­tain View, Calif., provider of pre­scrip­tion drug cab­i­nets and re­lated data ser­vices, no­ti­fied more than 68,000 pa­tients of the 919-bed Univer­sity of Michi­gan Health Sys­tem, Ann Ar­bor; 10-hospi­tal Sen­tara Health­care, Nor­folk, Va., and two-hospi­tal South Jersey Health­care, Vineland, N.J., that their de­mo­graphic, pre­scrip­tion drug and other clin­i­cal in­for­ma­tion were po­ten­tially ex­posed when a pass­word­pro­tected but un­en­crypted lap­top was stolen from an em­ployee’s car. Spokesper­sons for two of the hospi­tal sys­tems said the lack of en­cryp­tion specif­i­cally vi­o­lated con­tract ar­range­ments.

An Om­ni­cell state­ment said the com­pany knows of no other breaches in its 20-year his­tory and that it had “ini­ti­ated im­me­di­ate and de­fin­i­tive mea­sures to pre­vent a sim­i­lar in­ci­dent from re-oc­cur­ring.”

Rodriguez cau­tioned against read­ing too much into the Of­fice for Civil Rights an­nounce­ment about the Idaho set­tle­ment.

“I don’t think that any­body should take ei­ther that this par­tic­u­lar case was the re­sult of a fo­cus par­tic­u­larly on small breaches or that it her­alds an up­com­ing fo­cus on our part on small breaches,” Rodriguez said. For all mon­e­tary-en­force­ment cases, the Of­fice for Civil Rights fo­cuses on those “that re­veal long­stand­ing and sys­temic fail­ures to com­ply with the pri­vacy and se­cu­rity rules,” he said.

The Of­fice for Civil Rights has shifted over the past cou­ple of years to an in­creased use of mon­e­tary set­tle­ments and penal­ties to achieve HIPAA com­pli­ance. But “even as our pace of mon­e­tary en­force­ment picks up, we’re still in the rel­a­tively early days of that pro­gram,” Rodriguez said. Thus far, the civil rights of­fice has achieved HIPAA-re­lated mon­e­tary set­tle­ments or court de­ci­sions to­tal­ing nearly $14.9 mil­lion with 11 en­ti­ties, in­clud­ing five in 2012.

“What I would really un­der­score is, we in­ves­ti­gate the com­pli­ance of the en­tity with a set of very com­mon-sense pro­cesses that the pri­vacy and se­cu­rity rule re­quire,” he said. “The one that you’ll hear us talk­ing about all the time is risk anal­y­sis.” The Of­fice for Civil Rights re­cently com­pleted 115 random au­dits of cov­ered en­ti­ties and “a good num­ber of them” had not per­formed re­quired risk analy­ses, Rodriguez said, and those that had done so typ­i­cally used en­cryp­tion.

For the past five years, the Health­care In­for­ma­tion Man­age­ment and Sys­tems So­ci­ety has sur­veyed its mem­bers on health­care data se­cu­rity is­sues. Over that pe­riod, the per­cent­age of re­spon­dents whose or­ga­ni­za­tions have con­ducted HIPAA-man­dated se­cu­rity risk analy­ses has re­mained fairly flat at 90% for hos­pi­tals and 65% for med­i­cal prac­tices, said Lisa Gal­lagher, its se­nior di­rec­tor for pri­vacy and se­cu­rity.

In 2012, based on 303 sur­vey par­tic­i­pants, 64% of the re­spon­dents said their or­ga­ni­za­tions use en­cryp­tion for data in trans­mis­sion and 59% en­crypt data in stor­age.

Hospice of North Idaho in­stalled en­cryp­tion soft­ware on its 65 or so lap­tops im­me­di­ately af­ter the 2010 breach, ac­cord­ing to Sue Howlett, di­rec­tor of in­for­ma­tion tech­nol­ogy, who was hired right af­ter the in­ci­dent.

“It’s not hard at all,” Howlett said. “It’s not ex­pen­sive. I un­der­stand why they [Of­fice for Civil Rights] want it done. If you look at the threat ecosys­tem out there right now, it’s very bad. If you want per­sonal in­for­ma­tion, we’re a tar­get-rich en­vi­ron­ment. All of health­care is.”

Source: HHS Of­fice for Civil Rights

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.