Security Warning Wednesday - Recent HIPAA Fails

I'm constantly keeping up with the latest HIPAA news. Learning from the mistakes of others is one of the many ways we help ensure that we're doing everything we can to help our clients maintain compliance. One of the major benefits of being a concierge service and spending so much time with our clients is that we can help discover issues that are not technical in nature in addition to the tech aspects.

There were a few stories that resonated with me this week. Here are my thoughts on a couple of them: 

  1. UNC Health leaked 1,300 prenatal patient records: This was not electronic in nature. These were physical forms that were mailed from UNC Health to the local county health departments. This was only supposed to happen for Medicaid-eligible patients but they accidentally included 1300 non-medicaid patients as well. It's about as benign of a breach that is going to occur. So why mention it? Because it's still a breach. And because it is over 500 records it is a reportable event that will trigger an OCR audit. At best it's a time consuming hassle and if UNC Health doesn't have their HIPAA affairs in order, it could result in fines or other penalties.
  2. Denton Heart Group Hard Drive Stolen: An external hard drive used to store backup was stolen from a normally locked cabinet. This hard drive had seven years of backup data on it. There wasn't a number of patients indicated on their release but since it was posted on their website it is assumed to be over 500 records. In this case had the proper technical safeguards been in place and this hard drive been encrypted, this would not have even been a reportable event. Now the practice must face the consequences associated with the breach on both the federal and state levels. Forensics, attorney fees, patient notification and credit monitoring -- even a breach that is not suspected of being for malicious use of patient data can get expensive quick!

There have been 14 major breaches reported for the month of March so far with still a week to go. That said, protecting Personally Identifiable Information (PII) is not just a HIPAA compliance issue either. Most states have privacy laws that require breach notification. In Florida we have the Florida Information Protection Act. You can read more about FIPA here. The Attorney General's office may be full of fantastic people but I think most of us would prefer to not have to get to know them on a professional level. :)

At NeoCloud Consulting we designed our security and technical standards with HIPAA compliance in mind but they apply any industry in which sensitive customer data is collected. Our remote management system automatically disables the use of USB drives for any computer on our client's networks. Exceptions are made by client request when necessary but those machines are documented so that the risk is known. We are also developing a monitor which will alert us almost immediately if a non-encrypted drive is connected to a managed workstation so that we can notify the business owner of the potential vulnerability. 

Breaches are going to happen, it's just a fact of doing business these days. Working hard to prevent them, constant education and being prepared with the proper policies and procedures when they do occur is the key. Have these in place can be the difference between a business challenge that can be overcome and a catastrophic event that can cost more than a business can afford. Stay safe and protect that data!

If you have any questions or comments, please contact me and I'll be happy to discuss.