In cases of inadvertent data loss or theft, there is often plenty of blame to spread around, with third party contractors facing more scrutiny for security lapses.
That’s the clear message in an agreement announced by the Connecticut Attorney General this week that named technology giant EMC Corp. alongside Hartford Hospital and VNA HealthCare as the liable parties in a 2012 case in which protected health information (PHI) on more than 8,000 Connecticut residents went walking.
The firms will share responsibility for paying the state $90,000 in fines for the incident, which violated the federal Health Insurance Portability and Accountability Act (HIPAA), according to a copy of the agreement published by the Attorney General (PDF).
Behind the fine is a story that might sound familiar to many firms operating today. First, there’s the hospital, which engaged a third party firm to help it analyze patient data for a project intended to reduce the incidence of avoidable hospital admissions associated with congestive heart failure.
As part of that project, an employee of the firm – which was subsequently acquired by EMC – loaded patient data for 8,883 patients onto a company-owned laptop, which was carried to and from home and work. The data, however, was uploaded and stored in clear text format and was not encrypted.
That proved fateful when, on June 25, that employee’s home was broken into and the laptop stolen. The employee told EMC, who promptly informed the hospital. Alas, upon closer review, Hartford Hospital realized that it didn’t have a Business Associate Agreement in place with EMC that would have mandated protection standards for PHI.
Three years and $90,000 later, Hartford Hospital has promised the Attorney General that it has revamped its policies and training for employees throughout the hospital including in the IT group. Among other things, the hospital has strengthened compliance training for employees regarding business associates and the legal requirements around Business Associate Agreements.
For EMC’s part, the company promised that it will strengthen internal and external controls around PHI and provide training for employees who handle PHI. EMC also will perform periodic assessments of the effectiveness of the controls related to protecting PHI.
The security of third party firms that manage PHI is a growing issue for healthcare firms of all sizes. In the last year, there have been multiple incidents of leaks of patient data that were the result of third party compromises. Notably, the compromise of the Indiana-based electronic health records (EHR) vendor Medical Informatics Engineering (MIE) affected some 4 million patients of 230 hospitals, doctors’ offices and clinics.
And it’s not just the Federal Government that healthcare providers need to be concerned about. Insurers also are taking a dim view of lax security practices that lead to data loss or theft. In a complaint filed in U.S. District Court in California in May, for example, Columbia Casualty Insurance denied an insurance claim linked to a breach at the healthcare provider Cottage Health.
According to the complaint, the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow “minimum required practices,” as spelled out in the policy. Among other things, Cottage “stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet.”
Related ArticlesHealthcare Cybersecurity: Tips for Securing Private Health Data
A robust healthcare data protection program goes beyond compliance - here are some tips for protecting healthcare data against today's threats.Friday Five: 9/20 Edition
A popular password manager fixes a bug, a 20 million person breach, and more - catch up on the week's infosec and privacy news with this week's Friday Five!$3M HIPAA Settlement, First of 2019, in the Books
It took five months but the Office for Civil Rights' first HIPAA settlement of the year, $3M, stems from a breach involving an unsecured FTP server.