This month has seen a large number of paper records affected by HIPAA breaches – in many cases when improperly disposed of. Covered entities should remember that all records need to be secured whatever their format. The best way of doing this is to implement a robust information security management system (ISMS).
This month’s breaches:
William W Backus Hospital – 360 patients
The Norwich Bulletin reports that Backus Hospital has written to 360 patients, informing them of an incident in which “an employee took patient records home to complete work from home that may have been viewed by a non-employee”. Patient records may have included patients’ “name, medical record number, date of treatment in the emergency department, diagnosis and treatment information.”
Carilion Clinic – 1 patient
The Roanoke Times reports that Carilion Clinic “has fired or disciplined more than a dozen employees after they peered into a high-profile patient’s medical records without any clinical reason for doing so.”
Colorado Department of Health Care Policy and Financing – 1,622 households
Colorado’s Department of Health Care Policy and Financing has announced that “protected health information was unintentionally disclosed in a recent mailing” that “may have included names, address, state identification number or Medicaid case number, names of family members in a household, employer name, income from that employer, amount of an Advanced Premium Tax Credit (APTC), and whether the individuals were approved or denied for several medical assistance programs such as Medicaid and Child Health Plan Plus (CHP+). For fewer than 50 of those affected, a date of birth was also disclosed.”
Lawrence General Hospital – 2,071 patients
Lawrence General Hospital, MA, has announced that “an unencrypted thumb drive containing limited patient information [went] missing from an office in the secured hospital laboratory” between June 6 and June 9. It contained “limited lab testing information, including patient names, laboratory testing codes, and slide identification numbers. The thumb drive did not include any social security numbers, addresses, dates of birth or any other clinical or financial information. Patient medical records were not included”.
Positive Adjustments – number of patients unknown
Fox13now.com reports that “piles of medical records, court documents and other personal files were found in an open dumpster in Taylorsville”, apparently having been thrown out by Utah drug and alcohol rehab center Positive Adjustments. The files contained “patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, court documents, [and] treatment documents”.
Prima CARE – 1,651 patients
In another case of patient information being dumped, New England health care provider Prima CARE has announced that “two binders containing miscellaneous information related to patients treated by our health care providers between 2007 and 2012 were found on May 25, 2015 in the bushes near a parking lot at Dave’s Beach on Jefferson Street in Fall River.” The information included “names, addresses, phone numbers, dates of birth, medical record numbers, hospital account numbers, insurance numbers, treatment date(s) and certain clinical information. One individual’s full social security number was included.” The binders were returned to Prima CARE.
Urology Associates – 6,500 patients
The Daily Inter Lake reports that Kalispell medical practice Urology Associates “discovered that its stored patient files had been accessed improperly” when the facility in which they were held was burglarized. It is unlikely that anything was taken, but Urology Associates has notified 6,500 patients that they may have been affected out of the usual “abundance of caution”.
The Department of Veterans Affairs – 1,111 patients
In another case of patient information being dumped, the Department of Veterans Affairs has announced that 1,111 veteran health care records – including patient names, phone numbers, addresses, and Social Security numbers – were accidentally thrown in a dumpster. The Rapid City Journal reports that public affairs officer Teresa Forbes said: “It was just an unfortunate mistake during an office move.”
Siouxland Pain Clinic – more than 13,000 patients
The Sioux City Journal reports that Siouxland Pain Clinic has written to more than 13,000 patients to inform them that “their medical and other personal information may have been exposed in a hacking attack”. Lonnie Braun, a Rapid City lawyer, said that “patients’ names, medical information, Social Security numbers and addresses may have been compromised when the clinic’s server was hacked between March 26 and April 2.”
North East Medical Services (NEMS) – 69,246 patients
69,246 patients’ information was potentially exposed when an unencrypted laptop was stolen from the trunk of a NEMS employee’s car. According to the notification letter sent to affected patients on July 30, the information involved was limited to “name, date of birth, gender, contact information, payer/insurer and limited personal health information.” Some patients’ Social Security numbers were also affected.
Advanced Radiology Consulting – 855 patients
According to a press release, an employee of Advanced Radiology Consulting (ARC) “emailed certain patient protected health information to her personal email account”, including “a combination of patient names, dates of birth, phone numbers, balance information, insurance carrier name and identification number, treatment and exam information, appointment date and time, appointment notes, and referring physician information. This protected health information did not include patient Social Security numbers, driver’s license numbers, credit/debit card information, or financial account information.” The employee was fired and instructed to delete the information.
East Bay Perinatal Medical Associates – 1,494 patients
1,494 patients of East Bay Perinatal Medical Associates (EBPMA) have been notified that their personal information had been discovered on an employee’s laptop as part of a catalogue of patient records. No Social Security numbers, or financial, contact or medical information were listed.
McLean Hospital – 12,600 patients
McLean Hospital – a psychiatric hospital in Belmont, MA, owned by Partners HealthCare – has announced that four unencrypted backup tapes containing patient names, dates of birth, Social Security numbers and medical diagnoses went missing from its Harvard Brain Tissue Resource Center in May. The information related to 12,600 individuals who had donated their brains or brain tissue to medical research. The hospital waited two months to report the incident because it was conducting an investigation, it said.
OhioHealth Riverside Methodist Hospital – 1,006 patients
OhioHealth has announced that a flash drive that “may have included … patient names, medical record numbers, names of insurance companies, physicians’ names, addresses, dates of birth, referral and treatment dates, the type of procedures, and in certain limited instances, clinical information and Social Security numbers” went missing between April 14 and May 29. It is believed that the flash drive was lost, not stolen.
Healthfirst – 5,300 patients
New York-based insurer Healthfirst has announced that it is notifying 5,300 health plan members of a breach in which names, addresses, dates of birth, health insurance plan information, description of missing services, physician numbers, Healthfirst member ID numbers, patient ID numbers, claim numbers, diagnosis codes, and Medicare and Medicaid ID numbers were “compromised in the course of a criminal fraud scheme perpetrated against Healthfirst.”
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
A Vormetric study found that “26 percent of healthcare respondents reported that their organization had previously experienced a data breach”, and a recent Ponemon Institute report found that criminal attacks are the most common cause of health care data breaches. “Criminal attacks on healthcare organizations are up 125% compared to five years ago”, Ponemon notes, and “45% of [breached] healthcare organizations say the root cause of the data breach was a criminal attack”.
HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.