PHI data breaches can impact both patients and the healthcare facility that experienced the breach. Patients may have to work to ensure that their personal information is not used maliciously, while covered entities or their business associates will need to make security changes to prevent the same thing from happening again. Moreover, organizations could face federal or state fines for the PHI data breach.
Incidents at two facilities prove the importance of proper patient notification and why HIPAA technical safeguards are a key aspect of an organization’s data security plan. A comprehensive approach is essential, and one small oversight could lead to large data security issues.
Unencrypted laptops stolen, facility notified months later
A Texas-based firm that had contracted with a New York health system to process and collect payments had five unencrypted laptops stolen from one of its offices on September 2, 2014.
Global Care Delivery (GCD), Inc. reported that five laptops were stolen, and while the devices were unencrypted, they were password protected. GCD had been contracted with North Shore-LIJ Health System, but did not notify the health system of the incident until May 11, 2015, according to a North Shore statement.
The laptops contained information on approximately 18,000 North Shore, including first and last names, dates of birth, internal account numbers, diagnosis and procedure codes, and insurance identification numbers. Approximately 2,000 patients’ Social Security numbers were also included, according to the statement. However, financial information and credit card numbers were not on the devices.
The laptops have not been recovered, but both facilities said they are not aware of any misuse of the data. Even so, potentially affected individuals were strongly encouraged to “remain alert to potential harm by obtaining a credit report from one of the major credit reporting agencies and monitoring any accounts for unauthorized activity.” Individuals who were impacted will receive identity protection services for one year.
“We are taking all appropriate steps to minimize the risks of such incidents in the future, including the encryption of all laptops, servers and electronic devices maintaining North Shore-LIJ patient information,” stated the notification letter sent to patients.
While encryption is not required under HIPAA, the data breach notification process does not allow covered entities and their business associates to take that long in the notification process.
“Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach,” according to HHS. Moreover, “a business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.”
While it is not clear from the North Shore statement or patient notification letter whether GCD was technically a business associate, it will be interesting to see how this incident plays out and whether any fines will be dealt out for how long it took to notify the health system and the patients involved.
Medical records inadvertently posted online
The Texas Department of Aging and Disability Services (DADS) is notifying approximately 6,600 Medicaid recipients that their PHI was mistakenly made accessible online.
DADS was informed on April 21, 2015 that the information was accessible through a web application meant for internal use only, according to a DADS statement. The company added that it “immediately took down the website and launched an investigation, which is ongoing.”
Exposed information included names, residences, mailing addresses, dates of birth, Social Security and Medicaid numbers, and medical diagnoses or treatment information.
“DADS has no reason to believe any of the information has been misused,” the statement explained. “DADS has strengthened its policies, procedures and web-application security in an effort to prevent such a breach from occurring again.”
Department spokeswoman Cecilia Cavuto told the Austin American-Statesman that it’s unclear if the application had been online since it was built eight years ago. Cavuto added that it is possible the data was posted when its handling was transferred to another department last fall.
“I don’t think we have the answer to what exactly caused this breach just yet,” Cavuto said. “It looks like the application was developed without the appropriate security. It was supposed to be an internal application, which points to human error.”
View the original content and more from this author here: http://ift.tt/1J2tGoZ
from health IT caucus http://ift.tt/1cYFR7F
via IFTTT
No comments:
Post a Comment