$4.8 Million HIPAA Settlement – Patient Data on the Web

On May 7, 2014, HHS announced that New York-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date. The organizations settled charges that they potentially violated the HIPAA Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”).

NYP and CU operate a shared data network that links patient information systems containing ePHI. On September 27, 2010, the two entities submitted a joint breach report following the discovery that the ePHI of 6,800 individuals had been impermissibly disclosed due to a deactivated server, resulting in ePHI being accessible on internet search engines. The ePHI included patient statuses, vital signs, medications, and laboratory results.

HHS Office for Civil Rights’ (“OCR”) subsequent investigation determined that neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan to address potential threats and hazards to ePHI security. Further, OCR found that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with internal policies on information access management.

NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. In addition, both entities agreed to Corrective Action Plans that require each entity to:

  • Conduct a comprehensive and thorough risk analysis;
  • Develop and implement a risk management plan;
  • Review and revise policies and procedures on information access management and device and media controls;
  • Develop an enhanced privacy and security awareness training program; and
  • Provide progress reports.

Additionally, CU must also “develop a process to evaluate any environmental or operational changes” that impact the security of ePHI it maintains.

This settlement again highlights the necessity for healthcare organizations and business associates to create and implement Security policies and procedures, and to engage in a security management process that ensures the security of patient data.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana or Jefferson Lin.

 

UW Medicine Notifies 90,000 Patients of HIPAA Breach

Just before the Thanksgiving holiday, UW Medicine reported a HIPAA security breach, affecting roughly 90,000 patients at Harborview and UW Medical Centers.  In early October, a UW Medicine employee opened an e-mail attachment containing malicious software.  The malware took control of the computer, which had patients’ data stored on it.  The information that was exposed was a subset or extraction of data that was used for billing purposes.  Patient information may have included names, medical record numbers, addresses, phone numbers, dates of service, charge amounts for services received, Social Security numbers or Medicare numbers.

This is the fourth biggest HIPAA security breach this year, according to data from the Department of Health and Human Services.  The other major breaches involved stolen unencrypted computers and laptops (Advocate Health System and AHMC Healthcare) and improper disposal of medical records (Texas Health Harris Methodist Hospital).

The recent UW Medicine incident highlights the need for hospitals, providers, and business associates to monitor and update their virus protection software and firewalls.  Additionally, organizations should implement security awareness and training programs for all workforce members– this may include periodic reminders addressing malicious software or guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders or hoax e-mail.

For assistance with HIPAA and/or the breach notification rules please contact Elana Zana or Jefferson Lin.

 

Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach

Earlier this month Stanford reported its 5th HIPAA breach since 2009.  This is Stanford’s third largest breach, affecting nearly 13,000 patients.   A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford.  The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians.  Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.

Stanford’s other breaches include a disclosure  of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year.  This breach has resulted in a $20 Million class action law suit under California law.

Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car.  In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office.  Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.

Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches.  Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.

Lessons learned from Stanford’s misfortunes:  encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).

For assistance with  HIPAA and/or the breach notification rules please contact Elana Zana.