5 HIPAA & HITECH Breaches That Cost Businesses Millions
We’ve written a lot about just how costly HIPAA and HITECH violations can be. If you’ve been following our blog for awhile, you’re well aware that they can cost thousands, even millions. Think a monster fine couldn’t happen to your business, or that these huge fines aren’t doled out regularly? Think again. We here at Frontier IT in Colorado Springs review five jaw-dropping electronic protected healthcare information (ePHI) breaches that cost businesses millions — some of the largest on record. We also offer advice to small medical businesses on staying safe — and open for business.
Advocate Health Care
This is the largest single-entity HIPAA fine on record, according to Becker’s Health IT & CIO Review. What happened? Three events: a burglary that resulted in four stolen laptops, a data breach and an additional burglary that resulted in an additional stolen laptop. According to Becker’s, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) “concluded that Advocate failed to assess the risks of its ePHI, restrict physical access to its IT systems, receive written record that its associates would protect Advocate’s ePHI and guard an unencrypted laptop while it was in an unlocked car overnight.”
In sum, the ePHI of 4 million individuals was potentially compromised, including credit card numbers and clinical information. (There is no evidence that the data was misused, according to Advocate.)
New York Presbyterian-Hospital & Columbia University
This fine isn’t much less than Advocate’s, but the breach affected far fewer patients — only 6,800, actually. What happened? The data of said patients (including vitals, medications and lab results) became available via Google and other search engines, according to Health Data Management. (Neither agency admitted liability or wrongdoing.)
Forty-one patients. That’s a relatively small number, but the price each paid when this set of Christian-based health clinics refused to hand over medical records was potentially devastating. Cignet also failed to cooperate with a subsequent investigation and didn’t produce the records, “even after a federal subpoena was issued,” according to The Washington Post.
Eventually Cignet coughed up the records, The Post reported. What caused the delay? We’re not sure, but one can imagine how hard it would be to respond to a medical records request if ePHI had been taken hostage by ransomware or deleted by an employee looking for revenge. This drives home the importance of medical providers utilizing a HIPAA- and HITECH-compliant, cloud-based backup solution like Datto Backupify.
Feintstein Institute for Medical Research
The 2012 theft of a Feinstein Institute for Medical Research employee’s laptop from a car resulted in the exposure of ePHI for as many as 13,000 people — including their lab results, diagnoses and medications — according to Health IT Security. OCR’s investigation found that the organization’s “security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity,” according to business law firm Dykema. The firm agreed to a corrective action plan that included “conducting a robust security risk analysis,” according to the law firm.
Children’s Medical Center of Dallas
The center, part of the seventh largest children’s healthcare provider in the U.S., reported two data breaches to OCR, including the loss of a non-encrypted smartphone that contained the ePHI of nearly 4,000 patients at an international airport, and the theft of an unencrypted laptop containing the ePHI of nearly 2,500 patients several years later, according to Careers Info Security. OCR alleged that the medical center failed to encrypt ePHI as far back as 2007, the website reported.
There are some things you just can’t prevent, try as you might: natural disasters, employees going rogue, robberies. But there are steps you can take to protect your clients’ ePHI — steps your business is required by law to take.
Not all businesses heed this warning.
Many of those that don’t end up on a list like this.
We know: Not a fun thought.
What to do? Our recommendation: Contact a solid, experienced MSP, or managed service provider, that works with small businesses to provide managed IT services in an a la carte fashion. Many MSPs like Frontier IT offer services like disaster recovery/backup, help desk support, server/network monitoring and HITECH-compliance consulting at prices small- and mid-sized businesses can afford.
Frontier IT specializes in helping medical businesses of all types — private practices, dentist offices, therapist offices, veterinarians and more — meet and maintain HIPAA and HITECH compliance, and keep secure the priceless ePHI they’re responsible for. What’s more, we also specialize in working with small businesses. (Hey, we started out as one ourselves!) If you’d like to chat about a potential partnership, drop us a line today.