In 2014, headline after headline reported large scale security breaches that compromised the personal information of millions of individuals. These breaches involved sensitive data that was being held electronically by some of the largest companies in the world and shined a bright light on the inadequacies of information technology and security solutions being utilized to protect personal information. Electronic data breaches did not spare the health care industry either. As health care entities continued to transition to electronic recordkeeping, the risks of a breach of electronically protected health information (ePHI) grew significantly. The FBI’s Cyber Division addressed this growing concern in early 2014, warning health care providers that their cybersecurity systems were increasingly vulnerable to attacks due to the transition to electronic health records, lax cybersecurity standards compared to other industries, and the higher value of health data compared to credit card numbers. While credit card numbers and Social Security numbers typically sell for $1- $2 on the black market, health insurance credentials can be worth upwards of $20.
Confirming the FBI’s warning, a report from the Identity Theft Resource Center found that health care data breaches accounted for 43% of major data breaches in 2013, and was on the same pace for 2014. Other studies have shown that up to 90 percent of health care organizations have experienced at least one data security incident in the past two years. Thus, it is no surprise that the Office of Civil Rights (OCR), the government entity that enforces HIPAA privacy and security rules, was on high alert this year. Examples of the most significant e-PHI-related incidents occurring in 2014, with expected enforcement by the OCR, include:
- In August, Community Health Systems reported that 5.4 million patient records were lost after hackers used the Heartbleed virus to gain access to their electronic systems. The hackers took Social Security Numbers and other personal information that included patient names, addresses, and phone numbers. Analysts estimate the costs of fines and remediation could total $75-$100 million.
- In May, the Montana Department of Public Health and Human Services notified 1.3 million individuals that their personal information may have been compromised after it was discovered that a state health department server had been hacked, exposing the protected health information of current and former medical patients, health agency employees, and contractors.
- In February, the Los Angeles County Department of Health Services reported that eight unencrypted computers were stolen from its billing company, Sutherland Healthcare Solutions. The breach affected over 330,000 patients. The health information included Social Security numbers, certain medical and billing information, birth dates, and diagnoses.
- In May, Touchstone Medical Imaging (Touchstone) discovered that a seldom-used folder containing patient billing information had inadvertently been left accessible via the Internet. Initially, Touchstone believed that the patient information folder was not readable, but upon further investigation, they obtained new information that the information may have been readable and included patients’ names, dates of birth, radiology procedures, and in some instances, Social Security numbers. Over 307,000 patients were affected by the breach.
The OCR has been warning of a more aggressive approach to HIPAA privacy and security enforcement. While the OCR lost some funding for its budget in 2014, resulting in a lower enforcement rate than anticipated, there was an increase in the issuance and amount of monetary penalties for confirmed breaches. In fact, 2014 represented the greatest number of HIPAA settlements by the OCR to date. Of the largest monetary penalties issued last year, most unsurprisingly centered on a breach of ePHI. The following are the most substantial OCR settlements concerning a breach of ePHI in 2014:
- On May 7, 2014, New York and Presbyterian Hospital (NYP) and Columbia University (CU) entered into a $4,800,000 settlement – the largest HIPAA settlement to date. NYP and CU had submitted a joint breach report regarding the disclosure of the ePHI of 6,800 individuals after a CU faculty member, who developed applications for both NYP and CU, had attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, the deactivation of the server resulted in ePHI being accessible on internet search engines. The breach was discovered after an individual had found the ePHI of the individual’s deceased partner on the internet.
- On April 22, 2014, Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA) paid $1,975,220 to settle HIPAA violations after the OCR opened a compliance investigation of Concentra after receiving a breach report that an unencrypted laptop was stolen from one of its facilities. Similarly, OCR received a breach notification from QCA reporting that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.
- On March 7, 2014, the OCR entered into a $215,000 monetary settlement with Skagit County, Washington after receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. This is the first settlement with a county government and is likely intended by the OCR to send a strong message to local and county governments regarding their compliance efforts.
- Most recently, in December, Anchorage Community Mental Health Services (ACMHS) agreed to settle with the OCR for $150,000. OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured ePHI affecting over 2,700 individuals due to malware compromising the security of its information technology resources.
While technological advancements undoubtedly improve the quality and cost of health care services, the increased risks associated with security breaches and the substantial consequences that accompany those breaches must be at the forefront of discussion. We predict 2015 will bring with it an even greater number of reported security breaches with the ever-growing reliance on cloud computing and storage of ePHI on mobile devices. As health care entities continue to become more reliant on electronic storage of data, they must redouble their efforts to keep ePHI adequately protected.