A leak of patient health information through a cloud-based file-sharing platform contributed to an almost quarter million dollar fine levied against a Boston hospital for violating the federal HIPAA law, according to media reports.
The Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a settlement with St. Elizabeth's Medical Center in Boston, with the hospital agreeing to pay penalties totaling $218,000 stemming from a November, 2012 complaint.
According to a settlement statement released by HHS, OCR received a complaint alleging noncompliance with the HIPAA Rules by Saint Elizabeth’s staff, who were using what was described as an “Internet-based document sharing application” to store documents containing electronic protected health information (“ePHI”) corresponding to 498 individuals. An investigation was launched in February, 2013. Subsequently, Saint Elizabeth’s notified HHS of a leak of unsecured ePHI affecting an additional 595 individuals. That data was stored on a former Saint Elizabeth’s employee’s personal laptop and USB flash drive.
In its ruling, HHS’s Office of Civil Rights found that Saint Elizabeth’s failed to “implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level.” Just as important, the medical center didn’t “identify and respond to a known security incident” or take steps to mitigate the harmful effects of the security incident, and document the security incident and its outcome.
The nearly quarter million dollar fine isn’t the largest levied against a hospital. New York Presbyterian Hospital owns that honor, after being fined $4.8 million after a server containing patient information at the hospital became exposed to the public Internet, including Google’s search engines.
Other large HIPAA fines have resulted from the theft of unencrypted laptops, especially when the organization in question is discovered to have lax IT security practices or a cavalier attitude towards protecting patient information. But the Saint Elizabeth’s fine may be a harbinger of what’s to come, as more health organizations rely on cloud based applications and resources to improve efficiency and lower costs. In just the last year, targeted attacks on systems operated by major health networks including Anthem, Community Health Systems and Premera have spilled sensitive health data and other information affecting hundreds of millions of U.S. residents. Some of those attacks specifically targeted hosted electronic health record (EHR) systems. And, while no HIPAA fines specifically linked to those incidents have been issued, it is reasonable to think that some of those issues will result in investigations by HHS that lead to fines for failing to adequately protect patient information.
What are healthcare organizations to do? The key takeaway from settlements with OCR to date isn’t so much “don’t make mistakes” as “don’t be stupid or callous.” Indeed, if history is a guide, OCR reserves its harshest penalties not for firms that lose the most data, but for healthcare organizations that seem to disregard the meaning and intent of HIPAA: failing to do basic blocking and tackling, or turning a blind eye to obvious red flags. And that’s as it should be.
In such a regulatory environment, then, organizations need to take steps to try to prevent errors and mistakes even if perfection is elusive. Even the most well-intentioned organization can’t keep hundreds or thousands of employees from accessing cloud based storage services like DropBox and iCloud. But showing an awareness that such services exist and that they pose a threat to your organization’s and patients’ security and privacy is far better than sticking your head in the sand and assuming that everybody knows enough not to use such services as a convenience when moving PHI. Medicus emptor!
Paul F. Roberts is the Editor in Chief of The Security Ledger.
