5 HIPAA & HITECH breaches that cost businesses millions
You've probably read and heard a lot about just how costly HIPAA and HITECH violations can be. Think a monster fine couldn’t happen to your business, or that these huge fines aren’t doled out regularly? Think again. Here are five jaw-dropping electronic protected healthcare information (ePHI) breaches that cost businesses millions — some of the largest on record — according to the information technology experts at Frontier IT in Colorado Springs.
Advocate Health Care
This is the largest single-entity HIPAA fine on record, according to Becker’s Health IT & CIO Review. What happened? Three events: a burglary that resulted in four stolen laptops, a data breach and an additional burglary that resulted in an additional stolen laptop. According to Becker’s, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) “concluded that Advocate failed to assess the risks of its ePHI, restrict physical access to its IT systems, receive written record that its associates would protect Advocate’s ePHI and guard an unencrypted laptop while it was in an unlocked car overnight.”
In sum, the ePHI of 4 million individuals was potentially compromised, including credit card numbers and clinical information. (There is no evidence that the data was misused, according to Advocate.)
New York Presbyterian-Hospital & Columbia University
This fine isn’t much less than Advocate’s, but the breach affected far fewer patients — only 6,800, actually. What happened? The data of said patients (including vitals, medications and lab results) became available via Google and other search engines, according to Health Data Management. (Neither agency admitted liability or wrongdoing.)
Forty-one patients. That’s a relatively small number, but the price each paid when this set of Christian-based health clinics refused to hand over medical records was potentially devastating. Cignet also failed to cooperate with a subsequent investigation and didn’t produce the records, “even after a federal subpoena was issued,” according to The Washington Post.
Eventually Cignet coughed up the records, The Post reported. What caused the delay? We’re not sure, but one can imagine how hard it would be to respond to a medical records request if ePHI had been taken hostage by ransomware or deleted by an employee looking for revenge. This drives home the importance of medical providers utilizing a HIPAA- and HITECH-compliant, cloud-based backup solution like Datto Backupify.
Feintstein Institute for Medical Research
The 2012 theft of a Feinstein Institute for Medical Research employee’s laptop from a car resulted in the exposure of ePHI for as many as 13,000 people — including their lab results, diagnoses and medications — according to Health IT Security. OCR’s investigation found that the organization’s “security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity,” according to business law firm Dykema. The firm agreed to a corrective action plan that included “conducting a robust security risk analysis,” according to the law firm.
Children’s Medical Center of Dallas
The center, part of the seventh largest children’s healthcare provider in the U.S., reported two data breaches to OCR, including the loss of a non-encrypted smartphone that contained the ePHI of nearly 4,000 patients at an international airport, and the theft of an unencrypted laptop containing the ePHI of nearly 2,500 patients several years later, according to Careers Info Security. OCR alleged that the medical center failed to encrypt ePHI as far back as 2007, the website reported.
There are some things you just can’t prevent, try as you might: natural disasters, employees going rogue, robberies. But there are steps you can take to protect your clients’ ePHI — steps your business is required by law to take.
Not all businesses heed this warning.
Many of those that don’t end up on a list like this.
We know: Not a fun thought.
What to do? Contact a solid, experienced MSP, or managed service provider, that works with small businesses to provide managed IT services in an a la carte fashion, the experts at Frontier IT recommend. Many MSPs offer services like disaster recovery/backup, help desk support, server/network monitoring and HITECH-compliance consulting at prices small- and mid-sized businesses can afford.
Frontier IT specializes in helping medical businesses of all types — private practices, dentist offices, therapist offices, veterinarians and more — meet and maintain HIPAA and HITECH compliance, and keep secure the priceless ePHI they’re responsible for. What’s more, they also specialize in working with small businesses.
If you’d like to chat about a potential partnership, drop them a line today.