[BreachExchange] $100, 000 Fine in Case Involving Defunct Records Storage Firm

Audrey McNeil audrey at riskbasedsecurity.com
Wed Feb 14 20:20:38 EST 2018


For the second time in recent months, a federal regulator has signed a
HIPAA settlement with an organization that's either gone out of business or
filed for bankruptcy.

The Department of Health and Human Services' Office for Civil Rights
announced Tuesday that it's entered a $100,000 settlement with Filefax, a
now-defunct medical records storage company at the center of a 2015
"dumpster diver" breach affecting more than 2,000 patients.

Although Filefax shut its doors during the course of OCR's investigation
into alleged HIPAA violations, the firm could not escape its obligations
under the law, OCR says in a statement. "The careless handling of protected
health information is never acceptable," said OCR Director Roger Severino.
"Covered entities and business associates need to be aware that OCR is
committed to enforcing HIPAA regardless of whether a covered entity is
opening its doors or closing them. HIPAA still applies."

"Consequences for #HIPAA violations don't stop when a business closes. Read
about our latest settlement: https://t.co/caQ82ELB8g"

— HHS OCR (@HHSOCR) February 13, 2018

HHS says the receiver for Northbrook, Illinois-based Filefax, who is
responsible for liquidating the shuttered company's assets, has agreed to
pay the $100,000 monetary settlement out of proceeds from the sale of
Filefax real estate.

Filefax advertised itself as providing storage, maintenance and delivery of
medical records for covered entities, OCR notes. In 2016, a court in
unrelated litigation appointed a receiver to liquidate the company's assets
for distribution to creditors and others.

In addition to the monetary settlement, the receiver has agreed, on behalf
of Filefax, to a corrective action plan that involves moving remaining
medical records from Filefax's facility to another vendor, Iron Mountain,
for proper storage and disposal in compliance with HIPAA, the agency adds.

Settlement with Bankrupt Clinic

Late last year, OCR signed a $2.3 million HIPAA settlement with bankrupt
cancer care clinic chain, 21st Century Oncology. Separately the
Florida-based clinic also agreed to false claims settlements totaling $26
million with Department of Justice for making false attestations regarding
its use of electronic health records under the HITECH Act meaningful use
financial incentive program as well as making other false claims.

Under the HIPAA resolution agreement with 21st Century Oncology, the
monetary payment to OCR was made by the clinic's cyber insurer, Beazley
Group (see Bankrupt Cancer Clinic Chain's Insurer to Cover Breach Fine).

Filefax Breach Saga

At the center of the Filefax settlement is a breach that occurred in early

The saga appears to have begun when a local Chicago TV station reported it
received a tip about the discovery of medical charts by a "dumpster diver"
who was selling the papers for recycling. The reporter investigating the
tip also found a Filefax dumpster filled with medical records that should
have been shredded or destroyed before disposal, as well as a parked
vehicle containing medical records.

OCR says it received a complaint about the incident on Feb. 10, 2015,
alleging that an individual transported medical records obtained from
Filefax to a shredding and recycling facility to sell on February 6 and 9,

OCR says its investigation confirmed that an individual had left medical
records of approximately 2,150 patients at the shredding and recycling
facility, and that these medical records contained patients' protected
health information.

OCR's investigation indicated that between Jan. 28, 2015, and Feb. 14,
2015, Filefax impermissibly disclosed the PHI by leaving it in an unlocked
truck in the Filefax parking lot, or by granting permission to an
unauthorized person to remove the PHI from Filefax and leaving the PHI
unsecured outside the Filefax facility.

Hundreds of pounds of paper medical records of patients at Suburban Lung
Associates, a Chicago-area healthcare provider, were discovered in a
dumpster outside the Filefax building. Suburban Lung Associates had said it
had hired Filefax to retain and then properly destroy its patient documents.

In another, apparently unrelated enforcement action tied to Filefax, OCR
last year signed a $31,000 HIPAA settlement with Center for Children's
Digestive Health, a small Illinois-based pediatric specialty practice that
hired Filefax to store paper records containing patients' PHI but lacked a
business associate agreement.

Lessons to Learn

The OCR enforcement action against Filefax offers several critical lessons
for covered entities and business associates, ranging from the importance
of secure storage and disposal of PHI to proper oversight of vendors.

"As a covered entity, I have immediate downstream responsibility for anyone
I have entrusted with this very personal, sensitive information," says Bob
Chaput, CEO of security and privacy consultancy Clearwater Compliance.
HIPAA calls for "robust business associate management, starting with a BA
agreement," he notes. Among critical steps to take with BA management is
identifying all BAs, as well as the risks to PHI they pose, he says.

"Because in a large organization, there will be a large number [of BAs], go
through the process of risk-ranking the order of those vendors" based on
the volume and the nature and sensitivity of PHI they're handling, he says.
"There's PHI and then there's super-PHI ... such as mental health

Once ranked, each BA should be put into a category with plans developed for
each category, he says. "For instance, for your highest risk BAs ... you
might have an annual attestation and a strong right to audit."

Keith Fricke, principal consultant at tw-security notes that the duty to
safeguard PHI doesn't stop when patient records, paper or electronic, are
no longer needed by an organization, Fricke says.

"Hitting the delete key on a computer is not enough. Data must be
permanently scrubbed in a way that it cannot be recovered with free or
commercial tools," he says. "Physical destruction of storage media is a
good practice. There are free and commercial tools designed to forensically
wipe electronic data before decommissioning computers or disposing of
storage media."

Other Cases

OCR has penalized other organizations for cases involving improper disposal
of PHI.

For instance, in 2014, OCR signed an $800,000 settlement with Parkview
Health System, as a result of an incident in June 2009 involving the paper
medical records of 5,000 to 8,000 patients that were left unattended in the
driveway outside the home of a retired physician.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180214/7b70ace1/attachment.html>

More information about the BreachExchange mailing list