[BreachExchange] HIPAA Breaches: Size Doesn't Necessarily Matter

[Audrey McNeil]

http://www.lexology.com/library/detail.aspx?g=4d177f7d-7ce6-4d49-bb50-
3d5eeca15c01

The U.S. Department of Health and Human Services Office of Civil Rights
(OCR) made headlines this month with a record $5.55 million HIPAA
settlement reached with Advocate Health Care System, Illinois’ largest
health care system with 12 acute care hospitals. That settlement dealt with
three different data breaches that compromised more than four million
individual patient records.

Since announcing the Advocate settlement, the OCR has made a special effort
to let the health care world know that neither a smaller-sized breach nor a
smaller-sized organization will be protected from OCR scrutiny. The OCR
announced a new initiative giving special attention to smaller breaches –
i.e. those involving protected health information (PHI) of fewer than 500
individuals. In its August 18 announcement, the OCR advised that its
regional offices will increase their efforts "to identify and obtain
corrective action to address entity and systemic noncompliance" related to
smaller breaches.

The OCR’s announcement regarding its new "smaller-sized" breach initiative
referred to the following “recent” settlements involving smaller reported
breaches:

•Hospice of Northern Idaho – $50,000 settlement in 2013 as a result of 2010
theft of unencrypted laptop computer from an employee’s car, with
electronic PHI (ePHI) of 441 individuals.

•QCA Health Plan of Arkansas – $250,000 settlement in 2014 following a 2012
theft of unencrypted laptop computer from an employee’s car, with ePHI of
148 individuals.

•St. Elizabeth’s Medical Center – $218,400 settlement in 2015.
Massachusetts hospital’s 2012 report of workforce members using an
Internet-based document sharing application to store ePHI of at least 498
individuals plus 2014 breach of ePHI on a former workforce member’s
personal laptop and USB flash-drive.

•Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) –
$650,000 settlement in July 2016 after theft of unencrypted iPhone of
employee, with ePHI from 412 residents of six nursing homes for which CHCS
was providing management and information technology services.

One of the most frequent risk factors for special attention from the OCR is
that the organization failed to assess its risks – particularly with
unencrypted ePHI on mobile devices – and to adopt reasonable precautions.
It’s also clear from recent settlements and the recent “no break for small
breaches” announcement that the OCR is looking closely at breaches
involving IT system intrusions (e.g., hacking) and those involving business
associates’ activities.

Monetary settlements announced in connection with OCR settlements are
frequently dwarfed by the costs of the accompanying mandated corrective
actions, and by the costs to reputation and disruptions to operations that
accompany a data breach. Giving attention now to risk analysis and
preventative measures, and to contracts with business associates, can
greatly reduce the significant risks organizations face.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160831/2615d460/attachment.html>