Three Hospitals lose patient data to theft – Managing Risk

Share Your Thoughts: Facebooktwitterlinkedin

Data Theft and Hefty Fines

JimSatterfieldBy Jim Satterfield, President and COO, Firestorm

    • About 56,000 Sentara patients have been notified of potential data breach; a laptop containing information on 56,000 patients with Sentara Healthcare’s outpatient care centers in Hampton Roads was stolen from a contracted medical company employee’s car. Source:
    • Patient data stolen. Omnicell notified 8,555 South Jersey Healthcare patients after a laptop containing patient information was stolen from an employee vehicle. The data breach also affects hospitals in Michigan and Virgina. Source:
    • Gibson General Hospital is notifying patients of a stolen laptop containing patient information. Letters were mailed to patients of Gibson General Hospital in Princenton notifying them of a stolen employee laptop that contained their information. Source:

Significant breaches of confidential patient health data create huge privacy and security concerns. While the US HIPAA legislation on privacy and security has been in effect for many years, healthcare information security remains a significant concern as organizations migrate to electronic health records. Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

The threat and vulnerability for the healthcare sector continues however.

In mid-2012, The Alaska Department of Health and Social Services was ordered to pay a $1.7 million federal fine to resolve violations of the HIPAA Security Rule under its Medicaid program.

The agency also has agreed to a corrective action program negotiated with the federal HHS Office for Civil Rights. The action comes following the theft of a USB drive, from the vehicle of a DHSS employee, that may have contained protected health information, according to a statement from the OCR. An investigation found DHSS had failed on many levels to protect electronic PHI.

Deficiencies included failures to complete a risk analysis, implement sufficient risk management measures, complete security training for employees, implement device and media controls, and address device and media encryption. The resolution agreement between DHSS and OCR is available here.

HITECH Act Enforcement

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.  Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.  

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:

  • Four categories of violations that reflect increasing levels of culpability;
  • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
  • A maximum penalty amount of $1.5 million for all violations of an identical provision.

It also amended section 1176(b) of the Act by:

  • Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
  • Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.

In a related area, in 2003, Congress enacted the Fair and Accurate Credit Transactions Act (FACTA Act) which required the Federal Trade Commission (FTC) and other federal agencies to issue regulations requiring financial institutions and other “creditors” to adopt policies and procedures to prevent identity theft. In 2008 the FTC issued regulations named the “Red Flag Rules“, which went into effect on January 1, 2008 with a final compliance date of August 1, 2009. Subject to the regulation are all financial institutions and a category called “creditors” which is any person or business who arranges for the extension, renewal or continuation of credit.

The Red Flag Rules require the development and implementation of a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a “covered account” or any existing “covered account”. The program must be appropriate to the size and complexity of the entity and the nature and scope of its activities. 16 C.F.R. Section 681.2(d).

While ‘red flag’ rules present compliance issues for businesses, those businesses, to the extent they rely on critical vendors who have access to the same data, have an additional burden. If there is an identity breach by a business vendor, the entity will be in the chain and will be vulnerable to both legal liability and negative publicity.

Firestorm has deep experience in these areas, and can develop a red flag plan within 30 to 45 days of a final scoping report, following a plan review, that will satisfy the requirements of the regulations. The plan will be designed to detect, prevent, and mitigate identity theft and be tailored to your company’s size, complexity and the nature of its operations. A plan will include ‘reasonable policies and procedures’ that will:

  • Identify relevant red flags and incorporate those red flags into the plan;
  • Detect red flags that have been incorporated into the plan;
  • Respond appropriately to any red flags that are detected;
  • Train staff and confirm identity and responsibility of Compliance Officer;
  • Ensure the plan is updated periodically, to reflect changes in risks to clients or to the safety and soundness of the financial institution from identity theft.

No matter the Rule, data protection in this day of Bring Your Own Device (BYOD) compounds the issues and challenges for businesses of all types.  Make 2013 the year your company avoids fines and penalties, and create meaningful, actionable training and education for all employees.  To explore plan options today, please contact us at (800) 321-2219 or email [email protected]

Share Your Thoughts: Facebooktwitterlinkedin