News & Announcements
Theft of University of Michigan Employee's Laptop Could Have Exposed Health Information of About 870 People
Judge Rules in Favor of OCR and requires University of Texas MD Anderson Cancer Center to pay $4.3 million in civil penalties for HIPAA violations
The ALJ ruled that MD Anderson violated HIPAA Privacy and Security rules and granted summary judgmeent to OCR on all issues. This is only the second summary judgement victor in OCR's history of HIPAA enforcement. The case was decided after OCR investigated three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop and the loss of two unencrypted USB flash drives ontaining ePhi of over 33,500 individuals. OCR's investigation found that MD Anderson's own risk analyses had found that lack of device-level encryption posed a high risk to the security of ePHI, but did not begin to adopt an enterprise-wid solution to implement encryption of ePHI until 2011.
See the ALJ Decision.
Covered Entities are obligated to adhere to the HIPAA Security Rule, which requires physical safeguards for all workstations that access electronic PHI (ePHI). Failure to take reasonable steps regarding physical security may have serious consequences. According to OCR, there are many low-cost physical security controls available to covered entities, such as privacy screens for computers and cable locks to deter theft. Port and device locks help prevent unauthorized copying of data to removable media and restrict exposure to malicious software. OCR also suggests covered entities utilize various cost-free physical security measures, including workstation screen positioning and locking rooms that store electronic equipment or media.
For more information about physical security strategies, see the May 2018 OCR Cyber Security Newsletter.
Ransomware Attack in Rochester, Minnesota Impacts More than 6,500 Patients, Affected Entity Responds Quickly
The ransomware attack was discovered on March 31, 2018. Immediately after the discovery, the affected entity took its systems offline to prevent the spread of the ransomware and limit the potential for further data theft. The entity targeted by the attack stated the patient information stored on the affected computers was not in a “human-readable” format. The entity did, however, notify all patients whose data was stored on affected devices of the breach, as a precaution. All systems have now been restored and additional layers of security and encryption have also been implemented to prevent further attacks or breaches.
FMCNA has agreed to pay $3.5 million to the Office for Civil Rights (OCR). and to adopt a corrective action after five breach reports regarding ePHI (Electronic Protected Health Information). OCR found that FMCNA Covered Entities impermissibly disclosed the ePHI of its patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. OCR also found that the Covered Entities failed to implement policies and procedures to safeguard the facilities and equipment that contained ePHI. On February 1, 2018, the parties agreed to a corrective action plan to prevent future disclosures.
21st Century Oncology (21CO) Agrees to Pay $2.3 Million for Failure to Conduct Thorough Assessment of Vulnerabilities to ePHI
OCR investigation reveals that 21CO failed to conduct an acurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Earlier investigations revealed that patient information was obtained by an unauthorized third party and determined that over 2.2 million individuals were affected by the impermissible access to their names, social security numbers, physicians' names, diagnoses, treatment, and insurance information. In addition to a $2.3 million monetary settlement, a corrective plan requires 21CO to complete a risk analysis and risk management plan, revise policies and pocedures, educate its workfoce on policies and procedures, provide all maintained BAA agreements to OCR, and submit an internal monitoring plan.
Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and implementing a corrective action plan. OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR. “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The University of Massachusetts Amherst (UMass) was investigated by HHS following a report that a workstation in the UMass Center for Language, Speech, and Hearing had been infected with a malware program. The malware program resulted in the disclosure of protected health information of 1,670 individuals. The HHS investigation revealed that UMass had failed to implement security measures such as ensuring that firewalls were in place, and that UMass had failed to conduct an accurate and thorough risk analysis until years after the malware infection. The settlement between HHS and UMass will require UMass to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures related to compliance and security, and retrain its staff. The settlement also included a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.
HHS investigated OHSU after it reported multiple breaches involving thousands of individuals, including breaches related to unencrypted laptops and an unencrypted thumb drive. HHS determined there were wide spread vulnerabilities in the OHSU HIPAA compliance program, even though OHSU had completed a risk anslysis as required under HIPAA in 2003, 2005, 2006, 2008, 2010 and 2013. The HHS investigation revealed that the risk assessments performed by OHSU had not covered all of the PHI in the OHSU enterprise, that it had not entered into a business associate agreement with a cloud storage vendor who was storing the PHI of over 3,000 individuals, that it failed to implement encryption despite identifying lack of encryption as a risk, and other weaknesses. In addition to the monetary payment, OHSU is required to be monitored by and make reports to HHS on a regular basis for the next 3 years.
North Memorial Pays $1.55 Million for Loss of PHI by Business Associate, Failure to Have Business Associate Agreement, and Lack of Risk Assessment
On March 16, 2016, HHS announced that North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it had potentially violated HIPAA. Accretive Health, Inc., was given access to North Memorial's PHI to perform certain services, although the parties did not enter into a Business Associate Agreement as required under HIPAA. A laptop of an Accretive employee was stolen, which impacted the ePHI of over 9,000 individuals. The laptop was password protected, but not encrypted. Investigation by HHS also revealed that North Memorial had failed to complete a risk assessment of its IT infrastructure.
An orthopaedic clinic in Raleigh, N.C. agreed to pay $750,000 for failing to have a business associate agreement in place with a vendor that received x-rays of over 17,000 of the clinic's patients. The vendor was hired to transfer the x-ray images to electronic media, but there was no business associate agreement in place between the clinic and the vendor. In addition to paying the fine, the clinic was required to establish a process for assessing whether vendors are business associates, designate someone to be responsible for ensuring that business associate agreements are in place before release of PHI to vendors, and update other policies and procedures.
On April 21, 2016, NY Presbyterian Hospital agreed to pay $2.2 million for unauthorized disclosure of patient information to ABC film crews who were filming for the ABC series NY Med. The film crews were on the premises of NY Presbyterian and captured film of one patient who was dying, and another who was in significant distress. Neither patient had authorized the filming. HHS found that NY Presbyterian blatantly violated HIPAA requirements to keep patient information protected, allowing ABC film crews virtually unlimited access to its facility. In addition to the monetary penalty, NY Presbyterian is required to submit reports and be monitored by the Office of Civil Rights for the next 2 years.
Approximately 13,000 research participants and patients were impacted when a laptop containing their names, SSNs, dates of birth, addresses, diagnoses, lab results and medical information was stolen. Feinstein Institute for Medical Research was investigated by HHS following the initial report of the theft. The investigation revealed that Feinstein has a limited security management process which was insufficient to address potential risks and vulnerabilities to PHI. The Office of Civil Rights (the enforcement agency of HHS for HIPAA matters) Director Jocelyn Samuels stated that "for individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure."
The PHI of 90,000 individuals was accessed after an employee downloaded an e-mail attachment containing malware. HHS conducted an investigation, in which it found that UW had failed to adequately perform risk assessments and implement safeguards to protect against such intrusions. UW agreed to pay $750,000, institute a corrective action plan and submit compliance reports to HHS for the next two years.
A laptop stolen from an unlocked treatment room led to an investigation of Lahey Hospital by HHS. The investigation revealed widespread non-compliance with HIPAA, resulting in a $850,000 settlement.