HIPAA Violations Examples and Cases – Eight Cautionary Tales
Blog Article Published: 10/06/2016
By Ajmal Kohgadai, Product Marketing Manager, Skyhigh Networks The Health Insurance Portability and Accountability Act (HIPAA) helps protect patient privacy by requiring healthcare organizations and their business associates to protect sensitive data — including how the data is used and disclosed. As the healthcare industry is increasingly being targeted by cyber attackers, HIPAA gives healthcare organizations minimum benchmarks for assessing and implementing their cyber defenses. Patient health data is highly sought after by cyber criminals because they can exploit it in many different ways and for much longer periods of time as compared to information such as credit card numbers. On black market marketplaces on the Darkweb, stolen medical data can sell for 10 to 20 times more than credit card data. One report found that stolen Medicare numbers sold for nearly $500 each. Because medical records are rich with information, they can be used for committing identity theft, medical identity theft, and tax fraud; obtaining loans or credit cards, sending fake bills to insurance companies; obtaining and then reselling expensive medical equipment — and the list goes on. And unlike a credit card number, that can easily be cancelled if it has been compromised, medical health records can’t be altered and tend to last a lot longer. Stolen medical records of terminally ill patients are especially valuable because that information can be used to receive other services on behalf of the patient long after the patient has passed away. HIPAA requires that healthcare organizations report any data breaches involving more than 500 patient records. According to the HHS web portal, there have been 205 such breaches so far this year. Many data breaches of electronic protected health information (ePHI) that have resulted in HIPAA fines were the result of carelessness or lack of data protection and could have been avoided. Numerous HIPAA fines have stemmed from the lack of risk assessments or properly implemented risk management plans. A risk assessment is a foundational step that healthcare organizations must take in order to evaluate all the vulnerabilities, threats, and gaps in defenses in order to mitigate security risks.
The Worst HIPAA Violations — and What You Can Learn from ThemAdvocate Health Care Network, $5.5 million This is the largest HIPAA settlement as of September 2016 and was the result of three separate data breaches that affected a total of 4 million individuals. One of the incidents involved an unencrypted laptop that was stolen from an employee vehicle and another incident involved the theft of four computers. The Department of Human and Health Services Office of Civil Rights (OCR), which enforces HIPAA, noted that Advocate Health Care failed to conduct an accurate and thorough risk analysis of all of its facilities, information systems, applications, and equipment that handle ePHI. This risk management plan needs to include not only technical but also physical and administrative measures. New York and Presbyterian Hospital (NYP) and Columbia University, $4.8 million In a joint case, the two organizations were fined after 6,800 patient records were accidently exposed publicly to search engines. The breach was caused by an improperly configured computer server that was personally owned by a physician. The server was connected to the network that contained ePHI. NYP lacked processes for assessing and monitoring all its systems, equipment, and applications connected with patient data. It also didn’t have appropriate policies and procedures for authorizing access to patient databases. Both of these violations would have been easy to prevent through administrative processes. WellPoint, Inc., $1.7 million The managed care company exposed the records of more than 600,000 individuals over the internet after upgrading an internet-based database containing ePHI. WellPoint didn’t know about the breach until a lawsuit notified the company that the data was available through a web portal. This kind of incident could be avoided by:
- Performing a technical evaluation of changes resulting from software upgrades ahead of deployment
- Implementing technology, policies, and procedures for authenticating users that are accessing ePHI as well as limiting the categories of users who can access the data.