The Boston-based hospital will pay $100,000 to the state of Massachusetts after an unencrypted laptop was stolen with the protected health information (PHI) of 4,000 patients and employees. A physician failed to follow the hospital’s laptop encryption policy resulting in the data breach. The computer was not issued by the hospital, but the hospital was aware the physician was using it. The assumption is the physician was using a personal laptop and for some reason the hospital assumed the computer met its security standards.
That’s strike one.
The theft occurred in May 2012 and the hospital did not notify those affected until three months later. Federal HIPAA regulations require notification within 60 days following breach discovery. The rules state:
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
That’s strike two.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” Massachusetts Attorney General Martha Coakley said in a November 21 statement. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”
That’s strike three.
Unfortunately this is becoming commonplace as more healthcare organizations are faced with data breaches. New York-Presbyterian Hospital and Columbia University Medical Center had to pay $4.8 million to settle alleged HIPAA violations after PHI of 6,800 patients showed up on Google back in 2010. The information showed up when someone accidentally put an unprotected server on the network. The data was so widely accessible that the hospital and medical center learned of the breach after receiving a complaint from someone who saw the information of their deceased partner online.
Healthcare organizations and its associated partners can expect to pay an average of $810,000 per security breach, with some estimates of 2.4 million per incident, according to information from the Ponemon Institute in its Annual Benchmark Study on Patient Privacy and Data Security. It can easily cost a company upwards of $200 per record to recover from a breach.
Enterprise DRM is one of the best technologies to prevent data breaches. By encrypting and applying a dynamic security policy to files as they are created or downloaded from document repositories, you can ensure a data breach will not happen. According to HIPAA rules, if PHI is rendered unusable, unreadable, or indecipherable, a data breach notification is not required. According to the rules:
The guidance specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
Security breaches will occur, so it’s best to implement technology that protects you, your patients and employees. About 41 million people have had their PHI compromised in reportable HIPAA privacy or security breaches, according to data from the Department of Health and Human Services.
Make sure you aren’t next.
Photo credit Miran Rijavec