Blog

Posts Tagged ‘HIPAA’

Closing the Barn Door After the Horses Escape

Tuesday, April 6th, 2010

There is an old saying about closing the barn door after the horses have escaped. Obviously, that is too late.

John Muir Health is “closing the barn door after the horses escape” by implementing disk encryption software on its laptops AFTER two laptops with unencrypted data were stolen–leading to the compromise of nearly 5,500 patients’ sensitive and confidential data.

John Muir Health waited two months–the maximum amount of time allowed under the HITECH amendment to the HIPAA compliance mandate that governs data security in the health industry. Hala Helm, Muir’s vice president and chief compliance and privacy officer, is quoted explaining the delay with the justification “We wanted to make sure we had accurate information and could address questions from our patients.”

The move to encrypt the data on John Muir Health laptops is a good one–but in hindsight it is obviously a security control that should have been in place already. Had the data on the stolen laptops been encrypted, no patient data would be exposed or compromised as a result of the theft of the laptops. John Muir Health could have simply written off a few thousand dollars for the lost hardware, replaced the laptops, and carried on with business as usual.

If your organization has laptops, and those laptops have private, sensitive, or confidential data on them–ever, perhaps you should consider shutting the barn door now–while the horses are still safely inside?

Tags: , , , , , , ,
Posted in Data Storage Security | 1 Comment »

Patient Data Leaked to Local Attorneys by Hospital Worker

Sunday, December 13th, 2009

The University Medical Center (UMC) in Las Vegas is in hot water after it was discovered that at least one hospital employee has been leaking personal information of accident victims to local attorneys so that the lawyers could solicit the patients as clients. The breach of patient data violates federal HIPAA (Health Insurance Portability and Accountability Act) guidelines and could result in fines up to $1.5 million.

According to an article from the Las Vegas Review-Journal, the potential HIPAA fines are divided into four categories with a total maximum of $1.5 million:

  • If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
  • If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
  • If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
  • If it takes longer than 30 days, the fines start at $50,000.

The hospital received fairly high marks from a county auditor for HIPAA compliance, but with a few notable flaws. The auditor identified issues with patient records being left unattended, outgoing email with sensitive information being transmitted without encryption, and no record of what information was disclosed to third-parties in some cases. Any of these data protection weaknesses could come back to haunt UMC both with the federal investigation and fines, as well as with any subsequent civil suits arising from the breach of confidentiality.

Health and medical institutions like UMC would benefit from using tools to enforce data security policies and monitor and restrict the data that is sent to networked printers or saved to removable media, and software that can scan and filter outbound email to ensure sensitive information is not transmitted unencrypted.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »