Stolen Thumb Drive Proves Costly for Dermatology Practice

The Department of Health and Human Services (HHS) recently announced a $150,000 settlement with a dermatology practice in Massachusetts that arose out of a stolen thumb drive.  The unencrypted drive, which contained the health information of approximately 2,200 individuals, was stolen from a vehicle of one of the practice’s staff members.

Although HHS was concerned with the staff member’s failure to safeguard the health information, the large settlement amount resulted primarily from the practice’s lack of HIPAA policies and procedures.  Specifically, HHS determined that the practice: (1) had no breach notification policies, (2) had not conducted risk assessments for potential security vulnerabilities, and (3) did not adequately perform HIPAA training for its workforce.

This case provides an important warning to health care providers who do not have comprehensive HIPAA and HITECH policies and procedures.  Although the risk of being selected for an HHS HIPAA audit is still relatively low, it only takes one breach of health information for HHS to open an investigation that can result in costly penalties.

For more information about HIPAA and HITECH policies and procedures, please contact Casey Moriarty.

 

UW Medicine Notifies 90,000 Patients of HIPAA Breach

Just before the Thanksgiving holiday, UW Medicine reported a HIPAA security breach, affecting roughly 90,000 patients at Harborview and UW Medical Centers.  In early October, a UW Medicine employee opened an e-mail attachment containing malicious software.  The malware took control of the computer, which had patients’ data stored on it.  The information that was exposed was a subset or extraction of data that was used for billing purposes.  Patient information may have included names, medical record numbers, addresses, phone numbers, dates of service, charge amounts for services received, Social Security numbers or Medicare numbers.

This is the fourth biggest HIPAA security breach this year, according to data from the Department of Health and Human Services.  The other major breaches involved stolen unencrypted computers and laptops (Advocate Health System and AHMC Healthcare) and improper disposal of medical records (Texas Health Harris Methodist Hospital).

The recent UW Medicine incident highlights the need for hospitals, providers, and business associates to monitor and update their virus protection software and firewalls.  Additionally, organizations should implement security awareness and training programs for all workforce members– this may include periodic reminders addressing malicious software or guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders or hoax e-mail.

For assistance with HIPAA and/or the breach notification rules please contact Elana Zana or Jefferson Lin.

 

Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach

Earlier this month Stanford reported its 5th HIPAA breach since 2009.  This is Stanford’s third largest breach, affecting nearly 13,000 patients.   A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford.  The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians.  Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.

Stanford’s other breaches include a disclosure  of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year.  This breach has resulted in a $20 Million class action law suit under California law.

Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car.  In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office.  Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.

Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches.  Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.

Lessons learned from Stanford’s misfortunes:  encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).

For assistance with  HIPAA and/or the breach notification rules please contact Elana Zana.

Deadline to Report HIPAA Breach to HHS is Friday, March 1st

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis.  The deadline for this report is Friday, March 1st.  This reporting requirement is pursuant to the interim final rule on Breach Notification, the Omnibus HIPAA rule published in January does not impose any new requirements related to reporting of 2012 HIPAA breaches.  Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here.  This report needs to be filled out for each breach that occurred during the 2012 calendar year.  For example, if a covered entity had a breach in March of 2012 affecting five individuals and another breach in August 2012 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).  To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
  • Description of the Breach
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required (this requirement is described in the rule)
  • Whether media notice was required (this requirement is described in the rule)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the interim final rule on Breach Notification Rule.

If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.