The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued its first settlement under new OCR Director Jocelyn Samuels earlier this month. This latest settlement serves as a reminder that a successful privacy and security compliance program is an ongoing process. Samuels’ statements underscore the importance of monitoring information systems and conducting compliance audits. Samuels calls for entities to “review systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” When it comes to data security, all organizations—from big box retailers to small start-up companies, from large health systems to small provider groups—need to continuously assess risks and vulnerabilities to their data and develop a plan for reducing the risk of a data breach. With health care data of increasing interest and value to cybercriminals, the newly released Experian Data Breach Industry Forecast for 2015 predicts the health care industry will be “plagued” with data breaches in the coming year, stating that “[t]he potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually.” Anchorage Community Mental Health Services (ACMHS) learned this the hard way when it suffered a breach of unsecured electronic protected health information (ePHI) affecting more than 2,700 individuals, caused by malware that infiltrated and compromised its information technology systems. This is the 2nd OCR settlement affecting Alaska organizations, and the 9th OCR settlement from“Region 10.” To resolve the alleged HIPAA violations, ACMHS agreed to pay $150,000 and implement a Corrective Action Plan (CAP). Based on its investigation of the breach, OCR alleged that:
- From April 2005 until March 2012, ACMHS failed to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI it held, as required under 45 C.F.R. 164.308(a)(1)(ii)(A);
- During the same period, ACMHS failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, pursuant to 45 C.F.R. 164.308(a)(1)(ii)(B); and
- From January 2008 until March 2012, ACMHS failed to implement security measures to guard against unauthorized access to ePHI transmitted over an electronic network as required by 45 C.F.R. 164.312(e), such as supporting and regularly updating its IT resources with available patches, and ensuring firewalls with threat ID monitoring capabilities were in place.
According to OCR, the breach was “the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.” (emphasis added). Notably, OCR did not require a monitor as part of the terms of the CAP, which can significantly add to a covered entity’s costs and can extend the length of time that the covered entity must operate under the CAP.
This settlement should serve as a reminder that simply having policies and procedures on the shelf, no matter how good those policies and procedures may be, will not protect an organization from the inevitable cyber-attacks. Many organizations would be well-served to start 2015 by taking a second look at their privacy and security programs. In addition to identifying technical safeguards that should be implemented or updated to protect against cybercriminals, organizations should consider what safeguards, if any, are in place to protect against internal threats. Unfortunately, employee error, or in some cases, malicious efforts, still present a great risk for many organizations.
Beyond OCR’s enforcement, we are seeing an increase in HIPAA enforcement action by state attorneys general, under their HITECH Act authority, and private parties seeking to use HIPAA to demonstrate a standard of care. Health care entities and business associates also should be mindful of other regulators, such as the Federal Trade Commission and the Federal Communications Commission scrutinizing data security practices following a data breach.
Considering the costs associated with breach investigations and notifications, government investigations that may span years, and defending class action lawsuits, addressing data security and compliance gaps before a breach happens is more critical now than ever before.