[BreachExchange] HIE breach raises new, unanticipated questions

Mon Oct 10 18:54:03 EDT 2016

http://www.fiercehealthcare.com/it/hie-s-breach-raises-
new-unanticipated-questions

Yet again a tree fell down in the health IT forest and it didn’t make a
sound.

But it should. One of the worst fears about health IT has been realized,
and it’s probably just the tip of the iceberg.

Boston-based Codman Square Health Center reported to the Department of
Health and Human Services last month that an employee of an outside vendor
obtained unauthorized access to the health information exchange (HIE) in
which Codman participates by using an employee’s access credentials,
HealthcareInfoSecurity.com reported recently. The HIE, New England
Healthcare Exchange Network (NEHEN), serves providers and plans throughout
the region. Codman acknowledges on its website that the information
accessed included names, addresses, dates of birth, gender, medical
services, payer information, insurance information and possibly Social
Security numbers. In other words, yet another major breach.

But this one is potentially more significant than our garden-variety
breaches and deserves more attention than what it has received--because of
the nature of the breach itself.

Most discussions about the vulnerability of patient data held by an HIE
relate to the actions of the HIE as a business associate under HIPAA to the
covered entities supplying the information, which the HIE handles on their
behalf.  The concern is that the business associate makes an error, causing
the breach and exposing the records.

That's not what happened here. NEHEN’s records were compromised by a third
party, evidently in cahoots with or taking advantage of at least one
employee of one of the covered entities providing records to NEHEN. Ouch.

But it gets worse.

Had the breach been limited to Codman’s own patients, it would have
affected only 140 people. The vendor here also impermissibly accessed the
records of 4,000 other patients in the HIE, a huge difference, and one that
catapulted the breach into higher-stakes, HHS-Wall-of-Shame territory.

Then there’s the problem of how to comply with HIPAA’s breach notification
requirements. HIPAA requires a covered entity to notify affected patients
of a breach of their health information, and provides various alternative
methods to do so. However, the law contemplates that since they are the
entity’s patients, that the entity has some patient contact information in
the record, even if it isn’t current. At least it’s a starting point.

Codman doesn’t have that luxury. It doesn’t have all patient contact
information, since most of the affected patients aren’t Codman’s. Codman
itself states that “ All patients of Codman Square Health Center who are
affected will be notified by mail. ... For affected individuals who are not
Codman patients, those directly affected will be notified by mail if
contact information is provided.”

That means that patients may never know that they were victims of this
breach.

Moreover, this incident raises a host of more disturbing questions:

Will patients be less likely to agree to allow their records to be part of
an HIE? And should more HIEs adopt “opt-in” provisions so patients don’t
end up in an HIE by defaultbecause they didn’t “opt-out”? Will they be more
likely to withhold information even from their own providers?
Will providers be more leery of providing patient information to an HIE
because of the security risk, and less likely to trust the patient
information they’re accessing?
Are the current methods of protecting data being held by an HIE sufficient?
Who should handle the breach of data? Here, it was Codman which was at
fault. But Codman admits it may not be able to notify everyone. What should
be done when data from more than one provider or plan is compromised? And
what if it were intermingled, so tracing back the source is more difficult?
And perhaps most importantly, what does a breach like this say about HIEs
themselves and interoperability? If the integrity of an HIE can be
compromised this easily, are HIEs the best avenue for data sharing?

These questions--and their answers--need much more attention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161010/5bbee1d4/attachment.html>