HIPAA, HITECH & HIT :: Fox Rothschild LLP

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

• Print
• Comments
• Trackbacks
• Share Link

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the “SEC”) includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

• Print
• Comments
• Trackbacks
• Share Link

 A New England hospital has reported the disappearance of backup tapes containing ultrasound images and personal data of 14,000 patients. How do you handle a data loss when you don’t have any way of determining where the data went or who may have seen it?  Is it still a “breach” in the technical sense?

These questions call to mind former Defense Secretary Donald Rumsfeld’s famous observation about assessing knowledge gaps:

 “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”

And a less-famous Rumsfeld quote from the same press briefing, “The absence of evidence is not evidence of absence, or vice versa” may also be applicable.

What is known, according to the press release issued by Women and Infants Hospital of Rhode Island, is that on September 13, 2012, the institution learned that unencrypted backup tapes containing ultrasound images went missing from two ambulatory sites in Providence, Rhode Island and New Bedford, Massachusetts. The backup tapes contained ultrasound images and included patient names, dates of birth, dates of exams, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers. 

The hospital has concluded that they have no reason to believe that the information has been accessed or used improperly, because doing so would require specialized equipment and technical expertise. The fact pattern and analysis recalls the 2011 breaches involving SAIC/Tricare and Nemours discussed on this blog in October 2011 by my partner Elizabeth Litten. As she noted,

When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

At this time, Women & Infants has notified affected patients and established a hotline but is not yet offering credit monitoring or identity theft protection. Further, there is no indication of a report having been filed with HHS, but once again “absence of evidence is not evidence of absence.”

Applying the Rumsfeld test, I believe Women & Infants is facing both “known unknowns” and “unknown unknowns.” They know that they don’t and cannot be certain whether the data has been accessed, but if it has been, they cannot know the extent of the potential damage to the affected individuals.  The long-overdue “mega-regulation,” which may finally see the light of day now that the election is over, may provide some useful guidance. 

In the meantime, enjoy some of former Secretary Rumsfeld's greatest hits.

• Print
• Comments
• Trackbacks
• Share Link

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:

I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .

The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 

The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.

However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.

To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.

• Print
• Comments
• Trackbacks
• Share Link

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services (“HHS”) the sum of $1.5 million to settle potential violations involving an alleged security breach (the “2010 Breach”) of Protected Health Information (“PHI”) under HIPAA. However, relatively little has been written that the 2010 Breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years. 

This blog series has been following breaches of PHI that have been reported on the HHS list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 502 List Breaches. The first List Breach posted for MEEI on the HHS List (the “2009 Breach”) was reported to have occurred by reason of a theft on November 10, 2009 that was said to have affected 1,076 individuals. 

The 2010 Breach was reported to have occurred on February 19, 2010, only slightly more than three months after the 2009 Breach. According to the HHS List, it affected 3,621 individuals. A statement from MEEI on its Web site reports that HHS review of the 2010 Breach was “triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.”  MEEI further stated that it “has no indication that any patients were harmed by this isolated incident.” Query: How “isolated” was the incident in view of the fact that the 2010 Breach occurred soon after the 2009 Breach?

Potential entries in the PHI Breach Parade did not end for MEEI, however, with the 2010 Breach. On April 16, 2012, during a time that MEEI was likely to have been heavily negotiating with HHS about the $1.5 million payment, MEEI posted the following statement on its Web site (the “2012 Statement”), about which relatively little was reported in the media:

On March 5, 2012, the Quincy, Massachusetts, Police Department informed [MEEI] that they were investigating a [MEEI] employee for inappropriately using the names, Social Security numbers and dates of birth of certain individuals, some of whom were believed to be MEEI patients. . . .

While [MEEI] is only aware of four individuals whose personal information was actually misused, as a precaution we are notifying, by mail,  approximately 3,600 patients whose Social Security numbers were available to the former employee in the course of performing her assigned duties.

The 2012 Statement went on to say that MEEI will “provide one year of free credit monitoring to potentially affected individuals to protect them against possible harm resulting from this incident.”  [Emphasis supplied.]

It is perplexing that nothing about the 2012 Breach has been posted on the HHS List to this point, although

(i)         the MEEI Web site reported the event more than six months ago,

(ii)        the number of “potentially” affected individuals far exceeded the 500 minimum threshold for placement on the HHS List, and

(iii)       the period during which MEEI was dealing with HHS after the 2010 Breach overlapped with the occurrence and aftermath of the 2012 Breach.

Queries: Did MEEI not report the 2012 Breach to the HHS List because it ultimately concluded that the 2012 Breach did not involve more than 500 individuals even though it does offer credit monitoring to more than 3,600 individuals? (As a potential third time marcher in the Breach Parade, MEEI was certainly aware of its reporting obligations to HHS.) In other words, did MEEI determine by a reasonable risk assessment that the potential access by the former employee to PHI of 3,600 individuals was not sufficient to require a report for the HHS List, absent more substantial proof that the PHI of 500 or more individuals was actually accessed and/or that 500 or more individuals were actually harmed by such access?

Alternatively, is it simply possible that HHS has been slow in reporting additional List Breaches on the HHS List, similar to a suggestion in an earlier post in this blog series that HHS may be slow in posting Summaries of cases that it has investigated and closed?

This blog series will continue to monitor developments in this area.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 498 List Breaches reported by covered entities (“CEs”), of which approximately 102 (20.5%) have been reported as also involving business associates (“BAs”).  

As stated in an earlier posting in this blog series, the HHS List includes valuable guidance for CEs and BAs in the form of “brief summaries of the breach cases that OCR [the federal Office of Civil Rights] has investigated and closed. . . .” To date, the HHS List has posted approximately 96 summaries (“Summaries”) respecting the 498 current postings for CE marchers in the Breach Parade (which include some multiple postings of List Breaches where a single alleged breach by a BA caused a number of CEs to have List Breaches). Of the 96 List Breaches for which Summaries have been posted by OCR, 19 (19.8%) were reported as involving BAs.  

Unfortunately, since May 10, 2012, it would appear that only one new Summary has been posted by OCR, which relates to List Breach number 337 reported by Indiana University School of Optometry as CE. According to the OCR Summary, that List Breach affected 757 individuals and resulted in accessibility over the Internet of patient names, birth dates, medical history, diagnoses and treatment plans for the period from August 8, 2011 through September 9, 2011.  

No Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011, already a year ago. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011, as discussed in an earlier posting in this blog series. 

Moreover, the substantial majority of Summaries posted by OCR relate to List Breaches affecting fewer than 10,000 persons. While this Summary history may be reflective of the population of List Breaches as discussed in an earlier post in this blog series, the largest number of affected individuals for which a Summary has been posted to date is 83,000. That List Breach, which occurred on November 12, 2009 and was number 21 on the HHS List, related to unauthorized access/disclosure of paper information and was reported by Universal American in New York as the CE with Democracy Data & Communications, LLC as an involved BA. In light of the existence of complex List Breaches that reportedly affect hundreds of thousands or even millions of individuals, Summaries respecting larger List Breaches may be helpful in providing new and different insights for CEs and BAs.

There is great value in the guidance provided by the posted Summaries for educating CEs and BAs as to what OCR may deem to be significant with respect to List Breaches. OCR Summaries may provide analysis not only of the List Breaches themselves but also subsequent actions taken by the affected CEs and BAs. However, because the paucity of recent postings of Summaries can dampen their overall educational benefit, OCR is encouraged to increase the frequency, number, currentness and diversity of the Summaries posted.  

• Print
• Comments
• Trackbacks
• Share Link

As reported in the Houston Chronicle on June 28, 2012, an unencrypted laptop computer containing data on more than 30,000 patients of the University of Texas MD Anderson Cancer Center (“MD Anderson”) was stolen from a faculty member’s home on April 30, 2012. The stolen laptop scenario has become all too familiar (this blog series has reported on the high proportion of breaches resulting from the theft or loss of laptops or other portable devices), and even the high number of patients affected pales in comparison with the roughly 5 million patients affected in the SAIC breach. 

What caught my attention was the fact that MD Anderson posted notice of the breach on its website on June 28^th, exactly 59 days after the theft took place. Pursuant to the interim final breach notification regulations, a covered entity must provide notice to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.”   Although an exception exists for prompt notification where a law enforcement official tells the covered entity (or business associate) that notification would impede the criminal investigation or cause damage to national security, the time required for performance of a criminal investigation is, presumably, less than 60 days. MD Anderson’s website notice gives every indication that it acted promptly and investigated thoroughly:

MD Anderson was alerted to the theft on May 1 and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.

Would patients have been better off knowing their data might have been illegally accessed prior to day 59 following the breach, or does the benefit of a thorough investigation outweigh the risk that earlier notification would have benefited patients? 

Navigant Consulting released an “Information Security and Data Breach Report” in April of this year that found that the average number of days between discovery of a breach involving medical records and disclosure was 63 days in the third quarter of 2011, compared with 65 days in the fourth quarter of 2011, an increase of 3%, despite the requirement that applicable HIPAA law requires patients to be notified “without unreasonable delay” and no later than 60 days following the breach. When analyzed in terms of the entity reporting the breach, “[h]ealthcare entities registered an 84% increase between discovery and disclosure from 51 days in Q3 to 94 days in Q4.” 

From this perspective, it seems MD Anderson did pretty well. Had the faculty member delayed his or her original notification to MD Anderson regarding the theft, however, MD Anderson might have been hard-pressed to meet the 60 day deadline. Covered entities such as MD Anderson (and business associates who provide protected health information to subcontractors) should be reminded that prompt communication and investigation is essential to meeting the “without unreasonable delay and in no case later than 60 calendar days” notification requirement, and must balance the need to get the facts straight with the need to alert affected individuals, and, where applicable, the Department of Health and Human Services and state agencies, as quickly as possible. 

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.

The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.

The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital's Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.  

The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.

A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.

The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.

Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing parade of security and privacy breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals. On March 30, 2012, a large data security breach (the “Utah Breach”) that has not yet been posted on the HHS List was experienced by the Utah Department of Technology Services (“DTS”) on a computer server (the “DTS Server”) that stores Medicaid and Children’s Health Insurance Program (“CHIP”) claims data.  

DTS detected the Utah Breach on Monday, April 2, 2012 after the putative thieves began removing data from the DTS Server. Upon detection, DTS stated that it immediately shut down the DTS Server, has identified where the breakdown in security occurred and has implemented new processes to ensure this type of breach will not happen again.

DTS and the Utah Department of Health (“UDOH”) have established a separate Web page to provide “Latest Information” respecting the Utah Breach (the “Update Page”). The Update Page has turned out to be a useful reporting mechanism for what has become a continuously rising count of individuals affected by the Utah Breach. Currently the Update Page reports that “approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.” Therefore, the total current number of identified affected individuals of the Utah Breach appears to be approximately 780,000. However, the various numbers of victims reflected on the Update Page are somewhat confusing, possibly due at least in part to the addition on a serial basis of newly discovered victims.

Information on the DTS Server included claims payment and eligibility inquiries regarding potential Medicaid and CHIP claimants. According to UDOH:

This could include sensitive, personal health information from individuals and health care providers such as Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.

Interestingly, UDOH and DTS have made a clear distinction as to the assistance and support that they will provide to identified victims of the Utah Breach. Victims who had their Social Security numbers (“SSNs”) stolen will be offered one year of free credit monitoring services. Those victims of the Utah Breach who did not have SSNs stolen will not be offered free credit monitoring services, even though they have had other information compromised that has been characterized by UDOH as “less-sensitive.” Moreover, those who had SSNs stolen will receive priority in being alerted as to the Utah Breach over those victims who did not have stolen SSNs.

The Utah Breach is not the first large PHI breach experienced by UDOH.  The HHS List reports that on March 1, 2010, UDOH had an "Unauthorized Access/Disclosure" affecting 1,298 individuals respecting "Computer, Paper."  The HHS List also reflects that Utah Department of Workforce Services was involved as a Business Associate in the 2010 UDOH PHI breach.

It is possible that the current offering by UDOH of free credit monitoring services only to those Utah Breach victims who had stolen SSNs may be reevaluated or changed in the future. This blog series has previously reported the abrupt about-face by SAIC to offer credit monitoring services to the millions of victims of its large 2011 PHI breach after pressure by the Department of Defense to do so.

We will continue to monitor developments with regard to the Utah Breach.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). A recent posting in this blog series reported that, on February 24, 2012, HHS recorded number 400 in the ever-lengthening parade of List Breaches.

Such posting also noted that more than half (223) of the 400 List Breaches attributed the breach to “Theft.” Of the 223 thefts reported, 93 of them were characterized as theft of a laptop. Therefore, it is not surprising that the 400^th List Breach affecting Triumph, LLC (“Triumph”) was reported to be a theft on December 13, 2011 of a laptop affecting 2,000 individuals (the “Triumph Breach”) respecting several of its North Carolina behavioral and psychiatric facilities.

While the facts of the Triumph Breach were not remarkable in themselves, the event is worthy of review as being a typical List Breach involving a theft of a laptop that contained PHI of several thousand individuals. A closer look at the Triumph Breach reveals that it was an event as to which Triumph appears to have been a victim with little ability to avoid the loss. 

To its credit, Triumph has placed a HIPAA Breach Notification (the “Notification”) on its Web site with a prominent notice on its Home page in red with a link to the Notification and the following advice: “Please click here to read the public notice which may affect consumers receiving services from our Winston-Salem, Mocksville and King facilities.” As this blog series has pointed out in previous postings, many covered entities do not detail List Breaches on their Web sites.

The Notification states that the Triumph Breach occurred on December 13, 2011 when three men entered the 2nd floor lobby. While two of them were distracting the receptionist, the third entered a hallway and stole a laptop computer from an office. Because the Notification says that the laptop was password protected, one can reasonably conclude that there was no encryption. The information on the computer was reported in the Notification to have included names, dates of birth, medical record numbers, insurance/Medicaid numbers, billing codes  and authorization status for services, but not social security numbers, diagnostic codes or specific financial information.

Although the HHS List states that 2,000 individuals were affected by the Triumph Breach, no reference to the number of affected individuals was contained in the Notification. Additionally, while the Notification included contact information for questions about the Triumph Breach, no reference was made in the Notification as to the offering by Triumph of credit monitoring or other security services to affected individuals as has been done for many other List Breaches. Perhaps the explanation for the latter omission is the following statement by Triumph in the Notification:

We believe the motive for the theft was for the computer not for the information stored on the computer. In light of this theft, we are examining our policies, procedures and protocols to safeguard against any future incidents. 

Nonetheless, it is unclear whether the PHI stored on the computer will be inappropriately accessed and used.  Triumph was clearly an unfortunate victim of a theft of PHI as many other providers have been. Nonetheless, the Triumph Breach is a reminder that it does not matter how a List Breach is caused. It will be costly for the covered entity in every case on many levels, and the ultimate extent of the adverse impact cannot be known with certainty.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). On February 24, 2012, HHS posted number 400 in the ever-lengthening parade of List Breaches.

The first postings on the HHS List occurred on March 4, 2010.  Therefore, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year.

A closer look at the 400 List Breaches reveals that there are an appreciable number of repeat entrants into the parade. This blog series has reported on a number of them, such as Henry Ford Health System with 3 List Breaches and University of Rochester Medical Center with 2 List Breaches. (In some cases assumptions had to be made as to repeat entrants because the names of some covered entities on the HHS List were similar but not identical to others or appeared to be different divisions of the same covered entity.) 

Based on the assumptions and the review, there were 28 covered entities with 2 List Breaches, 16 covered entities with three List Breaches and 1 covered entity with four List Breaches (counting multiple divisions as one covered entity). Therefore, there were 337 separate covered entities that reported the total of 400 List Breaches.

Of the total of 400 List Breaches, 223 of them attributed the cause or partial cause of the breach to be “Theft.” As a matter of fact the 400^th List Breach was reported by Triumph, LLC as a theft on December 13, 2011 of a laptop affecting 2,000 individuals at several of its North Carolina behavioral and psychiatric facilities.

While the Parade of List Breaches continues to grow, there are many more PHI data breaches involving fewer than 500 individuals that are occurring as well. As this blog series has emphasized in the past, it is more a question of when a covered entity will suffer a PHI data breach and how severe the breach will be, rather than if it will suffer a breach.

• Print
• Comments
• Trackbacks
• Share Link

In a recent posting on this blog series, my partner William Maruca mentioned the multiple reported “snooping” intrusions from 2005 to 2009 by employees at UCLA Health System (“UCLA”) into medical records of celebrities “without a permissible reason.” Such snooping would constitute violations of the requirements under HIPAA/HITECH statutes and regulations.  Ultimately, UCLA entered into a settlement agreement (the “Settlement Agreement”) with federal health regulators with respect to such incursions, which among other things, socked UCLA with a fine of $865,000. 

Shortly after the Settlement Agreement was reported in July 2011, a new and different security breach was posted for UCLA (the “2011 Breach”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”).  (Presumably the snooping intrusions were not on the HHS List because they affected fewer than 500 individuals.) The 2011 Breach was reported on the HHS List as a theft of an “Other Portable Electronic Device” on September 7, 2011, that affected the protected health information (“PHI”) of 2,761 individuals.  UCLA has developed a mixed record of disclosure with respect to this most recent security breach.

UCLA is to be commended for having posted and maintained on its Web site (the “UCLA Web Site”) information on the 2011 Breach, as it has done with respect to the Settlement Agreement. This can be contrasted to a number of other covered entities previously identified in this blog series, such as Eisenhower Medical Center, that have not seen fit to post such security breaches on their Web sites. As a matter of fact, the posting on the UCLA Web Site about the 2011 Breach goes beyond the usual minimum level of disclosure to have a user-friendly, plain-language series of questions and answers to assist the site visitor. 

The UCLA Web Site reported 

The documents containing information did not include Social Security numbers or any financial information. They did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information. . . . UCLA has engaged Kroll, a global leader in data security, to provide assistance to individuals affected by this incident.

Even though UCLA has retained a consultant to provide advice to potential victims of the 2011 Breach, to this point no credit monitoring has been offered, while other covered entities have done so in similar circumstances because some of the information that was included in theft could heighten identity theft risks.

There is also a perplexing discrepancy between the 2,761 individuals reported on the HHS List as having been affected in the 2011 Breach, as compared to 16,288 individual reported on the UCLA Web Site. The HHS Web site provides the following instructions regarding amendments to the number of affected individuals in a large PHI security breach:

If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.

While there can only be speculation as to the source of the discrepancy, best disclosure practices would appear to dictate that UCLA provide information to HHS to permit the HHS List to be corrected from the current number to the materially higher number of 16,288 individuals. If UCLA has reported the higher figure to HHS, which did not correct it on the HHS List, then there is a flaw in the HHS List posting process that does not update amended information received from covered entities.

More recently, an additional factor has surfaced to detract from the quality of UCLA disclosures respecting the 2011 Breach. Derek Hawkins of Law360 discusses the filing by a UCLA patient of a putative class action against UCLA in December 2011 relating to the 2011 Breach. The Hawkins posting criticizes UCLA for not commenting at all on the lawsuit.

Thus UCLA has been inconsistent in its post-2011 Breach disclosures. Prompt, decisive and compliant action by covered entities affected by PHI security breaches, including transparency and accurate and consistent disclosure, is necessary to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

Five members of Congress (two Republicans and three Democrats) representing districts from far-flung states (Colorado, Florida, Massachusetts, New Jersey and Texas) are co-signers of a bipartisan letter dated December 2, 2011 (the “December 2 Letter”), addressed to the Director of the TRICARE Management Authority. The December 2 Letter was written to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information” by TRICARE contractor Science Applications International Corporation (SAIC).” 

Michael Kline and I have previously blogged about the SAIC PHI breach in four previous postings on this blog series, the most recent posting of which was on November 9, 2011, shortly after TRICARE did an about-face and announced that it was directing SAIC to offer the 4.9 million affected individuals credit monitoring services and assistance.

The December 2 Letter requests “timely and thorough responses” by no later than February 2, 2012 to seventeen startlingly direct and often blame-loaded questions. The questions make it very clear that the authors believe SAIC (and/or TRICARE) should have done more to prevent the SAIC breach and should be doing more to protect affected individuals. Question 9 notes that SAIC offered to provide “victims” (note the word choice) credit monitoring services for a year, but goes on to point out that “such services are useless in protecting against medical identity theft and fraudulent health insurance claims.” It then asks whether victims will also be provided with “newly available medical identity theft monitoring,” and, if not, to explain why such monitoring would not be provided.

The December 2 Letter closes with a brief and scathing chronology of recent SAIC misconduct, after noting that “SAIC has received more than $20 billion in federal contracts over the previous three fiscal years,” and asks: “Why does [TRICARE] continue to contract with SAIC for its data handling and IT needs despite these major performance problems?”

The members of Congress who authored the December 2 Letter hail from both sides of the aisle and from various parts of the country, but a common link seems to be a strong interest in information privacy and security. For example, Edward Markey (D-Mass) and Joe Barton (R-Texas) co-chair the Bi-Partisan Privacy Caucus and recently focused on Facebook privacy issues.    Cliff Stearns (R-Florida) introduced an online privacy bill last spring. Diana DeGette (D-Colorado) has commented publicly on the importance of online privacy. 

While Rob Andrews (D-New Jersey) has no apparent recent history with respect to information privacy and security, he was the sponsor in 2003 of a bill, which was not ultimately enacted, designed to afford students and parents with private civil remedies for the violation of their privacy rights under the General Education Provisions Act. Moreover, in his continuing role as a member of the House Committee on Armed Services and its Subcommittee on Oversight and Investigation, he has a deep interest and abiding concern regarding large scale threats to the privacy and security of protected health information of millions of service individuals and their families.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”). 

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."

This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches."  [Emphasis supplied.]

It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011. 

As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.

This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:

•   3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

•   13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

•   14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

•   53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA. 

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer.  However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 4 shall have the meanings assigned to them in Part 3 or earlier Parts.]

As reported in Part 3 of this blog series, Tricare and SAIC did not initially offer credit monitoring services to patients affected by the 2011 Breach made public on September 29, 2011, due to what was then judged to be the low “risk of harm” to those affected.  The Public Statement specifically answered the question “Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft?” as follows:

No.  The risk of harm to patients is judged to be low despite the data elements involved. Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identify theft, but all are encouraged to monitor their credit and place a free fraud alert of their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.  

Now, less than 6 weeks later, Tricare has directed SAIC to provide one year of credit monitoring and restoration services to patients “who express concern about their credit” as a result of the 2011 Breach.  In a press release issued by the DoD on November 4, 2011, entitled "Proactive Response to Recent Data Breach Announced" (the “DoD Press Release”), Tricare Management Activity's deputy director explains,

These additional proactive security measures exceed the industry standard to protect against the risk of identity theft.  We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.  

It is unclear that the new security measure exceeds the “industry standard,” as evidenced by numerous past postings respecting PHI security breaches in this blog series. In some cases as long as two years of credit monitoring was offered to affected individuals. However, given the assurances in the Public Statement to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare’s abrupt about-face relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk. 

Then again, Tricare's new position could have less to do with new concerns related to patient identity theft risk, and more to do with a “proactive response” or even a preemptive strike by Tricare and DoD to combat certain of the allegations in the putative class action lawsuit filed against them  in the U.S. District Court for the District of Columbia on October 11, 2011 (Gaffney v. Tricare Management Activity, et. al., Case No. 1:2011cv01800) (the “Class Action Complaint”).  Each of Virginia Gaffney and Adrienne Taylor, two of the plaintiffs named in the Class Action Complaint, has alleged that she had “incurred an economic loss as a result of having to purchase a credit monitoring service to alert her to potential misappropriation of her identity.” 

By offering the credit monitoring services to all of the 4.9 million affected individuals, Tricare and DoD may be endeavoring to render moot or at least mitigate the risk from those allegations in the Class Action Complaint. [Note: The recent posting of the 2011 Breach in the HHS List, which did not provide any information beyond that reflected in the Public Statement, earlier reported “5,117,799” as the approximate number of individuals affected, but the current number reported is “4,901,432.”]

The Class Action Complaint seeks judgment against Tricare and DoD for damages in an amount of $1,000 for each affected individual.  Perhaps Tricare and DoD did the quick math and realized that the cost of credit monitoring and restoration for a subset (those “expressing concern”) of the roughly 4.9 million affected patients would be far less than the almost $5 billion aggregate damages award sought in the Class Action Complaint.  Tricare may have reversed its stance as a result of this “risk of harm” analysis, and not because of new information or a revised evaluation related to a heightened risk of harm to affected individuals.

• Print
• Comments
• Trackbacks
• Share Link

By Michael Kline and Elizabeth Litten

[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]

The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.

Since the release by SAIC of the Public Statement, Law 360 has reported that

(i)   According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;

(ii)  A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and

(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach. 

Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.

On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:

So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.

Embedded later in the Post article is the following: 

The [2007] disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information.  (A portion of such personal information would have been deemed PHI had it been part of health-related material.)

The SPAMfighter report also discloses the following:

Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC's malware detection system. That breach had exposed mainly business account information.

As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach. 

Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

[Capitalized terms not otherwise defined in this Part 2 shall have the meanings assigned to them in Part 1.]

In an October 3, 2011 Securities and Exchange Commission (“SEC”) filing posted on its Web site, SAIC described itself as

a FORTUNE 500^® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The company’s approximately 41,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. Headquartered in McLean, Va., SAIC had annual revenues of approximately $11 billion for its fiscal year ended January 31, 2011.

The SAIC PHI breach, which potentially affected nearly 5 million individuals, was reported despite the fact that the PHI was contained on backup tapes used by the military health system, and despite, as explained in the Public Statement: 

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure…  [Q and A] Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

The Public Statement goes on to say the following in another answer:

After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance. [Emphasis supplied.]

The lynchpin of SAIC’s final decision to notify all of the potentially affected individuals appeared to be the DoD guidance. In SAIC’s position as an $11 billion contractor that is heavily dependent on DoD and other U.S. government contracts as described above, it would appear that SAIC may not have had many practical alternatives but to notify beneficiaries.

SAIC conducted “careful deliberation” before reaching its result and indicated that the risk of breach was “low.” Had the DoD guidance not been a factor and had SAIC concluded that the case was one where an unlocked file or unencrypted data was discovered to exist, but it appeared that no one had opened such file or viewed such data, would SAIC’s conclusion have been the same? Would SAIC have come to the same conclusion as Nemours and decided to report? 

What is clear is that the breach notice determination should involve a careful risk and impact analysis, as SAIC asserts that it performed. Even the most deafening sound created by a tree crashing in the forest is unlikely to affect the ears of the airplane passengers flying overhead. Piping that sound into the airplane, though, is very likely to disgruntle (or even unduly panic) the passengers. 

[To be continued in Part 3]

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

A recent public statement (the “Public Statement”) was published regarding a breach (the “2011 Breach”) of protected health information (“PHI”) of nearly 5 million military clinic and hospital patients that involved Science Applications International Corporation (SAI-NYSE) (“SAIC”). The 2011 Breach occurred in SAIC’s apparent role as a business associate and/or subcontractor for Tricare Management Activity, a component of Tricare, the military health plan (collectively, “Tricare”) for active duty service members of the U.S. Department of Defense (“DoD”). 

According to the Public Statement the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the Public Statement says that there is no financial data, such as credit card or bank account information, on the backup tapes.

The 2011 Breach is the largest single PHI security breach reported to date. The 2011 Breach highlights the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (“HHS”), other regulators and potentially affected individuals of a PHI breach.

The published “interim final rule” governing “Breach Notification for Unsecured Protected Health Information” (the “Breach Notification Rule”)  defines “breach” as “the acquisition, access, use or disclosure of protected health information [“PHI”] in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”  The Breach Notification Rule also defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

These definitions, reviewed in the context of several recent PHI breaches (including those “marchers in the parade” previously discussed on this blog), raise an important issue: at what point does “access” matter?   When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

In this regard, an event reported on the Nemours Web site on October 7, 2011 (the “Nemours Report”), about a PHI security breach involving approximately 1.9 million individuals at a Nemours facility in Wilmington, DE is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project. 

Significantly, the Nemours Report stated the following:

There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.

The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identify theft protection, and call center support to affected individuals. 

If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify, or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.  

[To be continued in Part 2]

• Print
• Comments
• Trackbacks
• Share Link

 By Elizabeth Litten and Michael Kline

What was the highlight of the Macy’s® Thanksgiving Day parade when we were kids? The Snoopy® float (shown below) was probably right up there, along with the Sesame Street® and Disney® floats. Spectators of the Protected Health Information (“PHI”) Breach Parade (and of the “silent brigade” of Business Associate breaches, discussed in this blog series on August 1, 2011) will be awed by the sight of the recent, somewhat bizarre, Business Associate (“BA”) breach involving Stanford Hospital’s emergency room data, as reported in the New York Times by Kevin Sack on September 8, 2011. The PHI of 20,000 emergency room patients seen in the Palo Alto, CA hospital reportedly somehow made its way from the hospital’s BA, Multi-Specialty Collection Services, to a public website used by students. The publicly-posted information included names and diagnoses for patients who visited the emergency room during a 6 month period in 2009.

This PHI breach stands out for a couple of unusual aspects. First, the data was allegedly made publicly accessible in September of 2010 as a spreadsheet attached to a document on the Web site “Student of Fortune,” a site describing itself as “Your source for easy online homework help!” As reported in the Sack article: “Gary Migdol, a spokesman for Stanford Hospital and Clinics, said that the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph."  The PHI breach was purportedly discovered on August 22, 2011 by a Stanford Hospital patient and reported to the hospital. The fact that nearly a year had lapsed from the time of the breach to its reported discovery suggests that the PHI was

(i)   not recognized as “real” by viewers,

(ii)  not thought by viewers to be worth noting or reporting, and/or

(iii) not actually viewed by anyone during the year it was accessible to students seeking bar graph tutorial. 

Nonetheless, the volume of patients affected, the sensitivity of the PHI data (more on that in a minute), the apparent lack of sufficient care by the BA, and the surprising nonchalance of whoever posted the PHI to be sifted and sorted by “Students of Fortune” accessing a publicly available Web site combine to make an attention-grabbing PHI breach event (the Snoopy float). 

Also reported on a New York Times blog site by Nick Bilton on September 8, 2011, Senator Richard Blumenthal (D-CT) introduced a bill, the Personal Data Protection and Breach Accountability Act of 2011, that, if passed, would impose strict storage and protection requirements for companies that store online data for more than 10,000 people. (Senator Blumenthal was previously highlighted in several postings in this blog series for his groundbreaking activities as Attorney General of Connecticut in investigations and enforcement actions against entities involved in PHI security breaches.)

While “Student of Fortune” was certainly not “storing” the emergency room PHI, the bill would likely affect BAs such as Multi-Specialty Collection Services. To the extent the Blumenthal bill imposes new or additional privacy and security provisions, Covered Entities and BAs handling large amounts of PHI would be subject to these provisions in addition to existing HIPAA/HITECH and state law requirements.

Back to the Snoopy float – the Stanford Hospital PHI breach (and the manner in which it was reported in the Sack article) stands out for a number of ironies. A large amounts of sensitive PHI was accessible to the public, but obscurely so (only to Students of Fortune using a particular learning tool and astute enough to recognize, or care about, the sensitivity of the information). If the Stanford Hospital patient had not noticed and reported the PHI breach, would the breach have ever been noticed? Would any patient have been harmed? (If a tree falls in the forest when no one is present, does it make a sound?) 

Even more ironic is the fact that one affected patient may actually have been harmed as a result of the breach reporting, rather than from the breach itself. The Sack article quotes (by name) a patient’s mother who “intercepted” the breach notice mailed from Stanford Hospital to her 21-year-old son (leaving the reader to wonder why Mom is opening her adult son’s mail and whether she was authorized to access his PHI). Mom is quoted as stating (i) that her son received psychiatric treatment at Stanford in 2009 and (ii) “My son, I can tell you [Kevin Sack], is fragile and confused enough that this would have sent him over the edge."  One can only hope that the disclosure of his "fragile" state in a national newspaper will not have a similar effect.  Perhaps, in this post-Facebook and Twitter age, we could all use reminders about what kind of information is private and sensitive, when we should report breaches of it, and with whom we should share it.  The Snoopy float is a good reminder.    

A final irony is that Michael Mucha, the Stanford Hospital Chief Information Security Officer at the time of the Stanford PHI breach, has written extensively and has been widely-quoted regarding information security. He has been quoted as saying, “The biggest thing we [Stanford Hospital] focus on with all of this is control of the data.” Unfortunately the Snoopy float PHI breach belies the level of control of the data that can be exercised by Stanford and other Covered Entities, even with safeguards in place.

This story will undoubtedly have further developments. It will be especially interesting to see what statement, if any, Stanford provides to the U.S. Department of Health and Human Services (“HHS”) about its PHI breach for posting on the HHS list of reported large breaches of unsecured PHI affecting 500 or more individuals.

[Capitalized items that have ® after their names may be registered trademarks of other entities as to which no claim is made.]

From Heather Cross, About.com Guide 

 The Snoopy Balloon floats along Central Park West in the 2000 Thanksgiving Day Parade.

• Print
• Comments
• Trackbacks
• Share Link

Postings on this blog series have been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. A recent posting highlighted an area that has received relatively little media attention respecting the HHS list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”) - the extent to which such Large Breaches are stated to be attributable to events involving business associates (“BAs”) of the reporting covered entities (“CEs”). Some Large Breaches involving BAs will be reviewed in this and future postings.

The HHS List reveals that Ohio Health Plans (“OHP”), the public health care program overseen by the Ohio Department of Jobs and Family Services, reported as a CE that a Large Breach on June 3, 2011 involving 78,042 individuals had resulted from the theft of a laptop (the “OHP Breach”). The HHS List states that “Area Agency on Aging, Ohio District 5” was a “Business Associate Involved.” Unlike some other disclosures respecting Large Breaches reported on the HHS List, no further information is available on the HHS List for the OHP Breach.

A June 20, 2011 report of the OHP Breach in CrawfordCountyNow.com (the “Internet Report”) indicates that the correct corporate name of the affected BA is Ohio District 5 Area Agency on Aging, Inc. (the “Agency”). The Internet Report states:

A laptop computer assigned to a PASSPORT case manager with the Ohio District 5 (Mansfield) Area Agency on Aging, Inc. containing consumer’s personal health information was stolen from a vehicle on June 3. The computer contained personal health information of up to 43,000 consumers and the personal contact information of up to 35,000 related clients’ personal representatives.

The Internet Report quotes an apology from the CEO of the Agency, Duana Patton, and describes steps that the Agency was taking to mitigate the loss to affected individuals, including access to credit protection services and an 800 number to answer questions. Nowhere in the Internet Report is there any reference to OHP or the fact that the Agency was in possession of the PHI as a BA of a CE.

A visit to the Internet Web site of each of OHP and the Agency reveals no information respecting the OHP Breach. There is no reference to the OHP Breach in the links on the Home page of the OHP Web site or the links accessible through the  “News & Events” link, including the “What’s New” and “News Releases” links. 

The Agency Web site describes the Agency as

a private non-profit Agency, designated by the State of Ohio to be a Planning and Service Area (PSA) as mandated in the Older Americans Act, as enacted by the Federal Government in 1965. The Agency administers Title III, State Block Grant, Medicaid and other grant funds.

Again there is no reference to the OHP Breach on the Agency Web site, either in the “News and Events” links, the “Privacy Information” link or elsewhere, or the efforts of the Agency to mitigate adverse consequences to affected individuals that may result from the OHP Breach.

It appears that OHP, as the CE with respect to the OHP Breach and the entity required to report the OHP Breach to the HHS for placement on the HHS List, left it to the Agency as the apparently responsible BA to confront the aftermath. Moreover, OHP and the Agency appear to have consciously limited disclosures regarding the status of OHP as the CE to avoid adverse publicity for OHP, perhaps because it is part of the Ohio state sponsored health programs. 

Other Large Breaches involving BAs that have been reported on the HHS List will be reviewed in future postings on this blog.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. As required by HITECH, the HHS Web site posts a list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”). One area that has received relatively little attention from postings on the HHS List is the extent to which such Large Breaches are reported to be attributable to events involving business associates (“BAs”) of covered entities (“CEs”). 

The HITECH Act provides at Section 13402 (42 U.S.C. Section 17932) that, following a Large Breach of unsecured PHI, a CE must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media.  The HITECH Act imposed on a BA many of the obligations that only a CE previously had under the original HIPAA, unless the BA had specifically assumed such obligations contractually in an agreement with a CE. 

However, while Section 17932(b) of  HITECH requires a BA to notify the associated CE that a PHI breach has occurred, under HITECH, such a BA has no obligation or even authority for mandatory or voluntary reporting of a Large Breach directly to HHS. That is solely the obligation of the CE under HITECH Section 17932(e)(3).  Nonetheless, the form of "Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information" to be filed by a CE calls for a disclosure by the CE of information about any breach that occurred at or by a BA.

The effect is that a BA has no effective voice, which has been authorized by HITECH or the interim HHS rules, to allow such BA to make a statement to HHS that could be posted on the HHS List to correct, amend, modify, supplement or even deny a CE report on the HHS List regarding such BA.

Of the 292 PHI breaches listed on the HHS List as of July 31, 2011, the following information has been reported regarding BAs:

•   Approximately 53 of the Large Breaches or 18% allegedly involved BAs of the reporting CEs.

•   Approximately 12 of the Large Breaches of reported Large Breaches allegedly involving BAs contained a narrative as to the Large Breach event.

•   Approximately 8 of the narratives stated that the CE had enforced its agreement with the allegedly involved BA and/or modified or terminated its relationship with such BA.

It is clear that a Large Breach can generate substantial costs, embarrassment and loss of reputation to a CE and an involved BA.  It is in the interest of both parties that prompt, accurate and complete notification of a Large Breach be made to the public and HHS.  Cooperative efforts that optimally should exist between the CE and an involved BA in remediating a Large Breach should also include drafting a mutually acceptable narrative, if such a narrative is to be included in the report to HHS. However, it may not be possible to have agreement on remediation itself or the description that will be reported by the CE to HHS and posted on the HHS List.  HHS should consider giving a BA an opportunity to report its own responsive version of a Large Breach event in a case where a CE attributes involvement to such BA.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under HIPAA/HITECH and state statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches. 

An earlier posting on November 2, 2010 in this blog series (the “2010 Posting”) reported that, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “2010 Press Release”) that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

As reported by Ben Keller on DataGuidance.com from London, Indiana Attorney General Greg Zoeller announced on July 5, 2011, that WellPoint agreed to pay $100,000 after the company failed to notify customers and the state Attorney General "without unreasonable delay" of a data breach that occurred between October 2009 and March 2010. In response to a request by Mr. Keller to comment for the article, I was quoted as follows:

By settling with WellPoint Inc., the Attorney General of Indiana joins the Attorneys General of Connecticut and Vermont in recovering a substantial sum for the state. . . . [U]nlike Connecticut and Vermont, the Attorney General of Indiana however proceeded solely under a state law enacted by Indiana in 2009. With this variety of successes, it is likely that more Attorneys General will become aggressive in this area in the future.

This posting will endeavor to make some additional observations about the Indiana case. As reported in the 2010 Posting, the Connecticut case proceeded under the federal HIPAA/HITECH statute, while Mr. Zoeller proceeded only under an Indiana state law. Subsequent to the 2010 Posting, this blog series reported on a settlement in Vermont in January 2011 that was brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. 

In summary, there have now been three reported settlements by Attorneys General for PHI security breaches:

(i) one that proceeded solely under the federal HIPAA/HITECH statute (Connecticut);

(ii) another that proceeded under both the federal HIPAA/HITECH statute and state law (Vermont); and

(iii) a third one that proceeded solely under state law (Indiana).

The 2010 Posting raised the question as to why Mr. Zoeller had proceeded only under the Indiana state law and not under HIPAA/HITECH as well. The press release issued by his office on July 5, 2011, about the WellPoint settlement sheds some light on the matter:

In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General's Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General's Identity Theft Unit.

It is clear that Mr. Zoeller wanted to achieve a successful result under the state statute for which he had personally urged passage. However, while the 2010 Posting reported that Mr. Zoeller was seeking $300,000 in civil penalties from WellPoint, he settled for $100,000 in penalties, plus, among other sanctions, the requirements that WellPoint provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach and that WellPoint reimburse any WellPoint consumer up to $50,000 for any losses that result from identity theft due to the breach.

As stated earlier, it can be expected that other attorneys general around the country will follow suit in investigating PHI security breaches and seeking civil monetary payments and other sanctions under HIPAA/HITECH and/or state law. Such actions can generate significant revenues for the state, act as a deterrent to others and generate positive media coverage for successful attorneys general. 

Prompt, decisive and compliant action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

Several recent PHI-related news items, including two that were commented upon by Michael Kline in this blog series in his posts dated June 27, 2011 (regarding Google Health’s announced shut down) and July 3, 2011 (regarding the Spartanburg (S.C.) Regional Health System PHI security breach), and one that was described by Bill Maruca in a post dated June 22, 2011 (regarding the safety of “cloud-based” data storage systems), share a common feature – they underscore our need to trust the keepers of our PHI. We need to trust that, whether PHI is in the cloud or on a server, in a thumb drive or on a hard drive, only those who have a right and a need to access it can and will do so. 

A recent petition (“Petition”), filed as a putative class action in federal court in St. Louis, Missouri against The Siteman Cancer Center at Barnes Jewish Center (“Siteman”) and the Washington University (St. Louis) School of Medicine provides an example of insult adding to injury when the trust in our PHI-keeper is broken. Mistakes may happen, but trust is really breached when the mistakes that involve PHI are not admitted and addressed immediately.

The Petition alleges that, sometime over the weekend of December 4, 2010, “an unencrypted laptop computer,” which contained the PHI of “hundreds of cancer patients,” was stolen from Siteman’s Gynecological Treatment Center.  While the exact number of individuals affected is not identified in the Petition, there has been no posting of the breach in the list maintained on the U.S. Department of Health and Human Services Web site respecting  breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”). This suggests that fewer than 500 individuals were affected. 

According to the Petition, Siteman did provide notice to affected individuals – but, based on allegations in the Petition, the notice was too little and too late. The Petition contends that Siteman knew about the stolen laptop immediately after the December 4, 2010 weekend, but did not notify affected individuals until it sent out a letter dated January 28, 2011.   Adding apparent insult to this delayed notice of injury, the Petition asserts that Siteman also “downplayed the seriousness of the security breach” and failed to include complete information about (and thus “misrepresented”) the type of information that was stolen. 

In blogging about the Spartanburg breach, Michael writes, “[i]t is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media coverage when the posting on the HHS List takes place one to three months later.”   I find it similarly perplexing that a hospital, such as Siteman, might choose to withhold disclosure of the extent of an especially sensitive PHI security breach, particularly when the disclosure is being made directly to the potentially affected individuals. Failure to disclose promptly and accurately the nature and extent of a breach not only erodes patient trust, but also increases the likelihood of a “second round” of patient harm and ensuing litigation.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. Immediately before the July 4th weekend, there was a posting on the U.S. Department of Health and Human Services Web site, which lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”), of a PHI security breach affecting 400,000 individuals that was reported by Spartanburg Regional Healthcare System (the “System”).

The HHS posting respecting the System reports that a PHI breach (the “System Breach”) occurred on March 28, 2011 from the “Theft” of a “Desktop Computer.” As a result the System appears to have suffered the fourth largest PHI security breach reported on the HHS Web site during 2011, surpassed only by the following, each of which has been discussed earlier in this blog series:

(i) the Health Net breach that involved 1,900,000 persons;  

(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons affected; and

(iii) the Eisenhower Medical Center breach with a reported 514,330 persons affected.

The history of reporting of the System Breach by the System has been somewhat puzzling. Although the Web site of the System had previously published for some period of time a prominent link on its home page to the letter that was sent by the System to the affected individuals (the “System Letter”), the link appears now to have been deleted from the System’s home page. After a search, there appears to be no other reference to the System Breach on the System’s Web site, including the news archive that is linked from the home page.   

The System Letter asserted that the computer was stolen from the car of an employee who was “authorized to have possession of the computer.” The computer reportedly contained a password-protected file with Social Security numbers as well as names, addresses, dates of birth and medical billing codes. The System Letter also reported that the System will make available to affected individuals enhanced identity theft consultation and restoration and one year of free credit monitoring, although the System “had no evidence that any information has been misused.”

For some reason, the System originally made no disclosure of the large number of persons affected. This is not the first time that a provider that suffered a significant PHI security breach did not report the number of affected persons. See, for example, the postings in this blog series respecting Henry Ford Health System. It is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media attention when the posting on the HHS List takes place one to three months later. It would appear that providers and insurers should understand that one major media encounter for a single PHI security breach event is more than enough publicity.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. A recent posting of a major PHI security breach was made regarding Eisenhower Medical Center (the “Center”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals.  The Center, which is located on Bob Hope Drive in Rancho Mirage, near Palm Springs, California, houses, among other areas, the famous Annenberg Center for Health Sciences at Eisenhower, the Barbara Sinatra Children’s Center at Eisenhower and the Betty Ford Center on the Eisenhower campus. 

The HHS posting respecting the Center reports that a PHI breach affecting 514,330 persons (the “Center Breach”) occurred on March 11, 2011 from the “Theft” of a "Desktop Computer." As a result the Center appears to have suffered the third largest PHI security breach reported on the HHS Web site during 2011 to date, trailing only

(i) the Health Net breach earlier reported in this series that involved 1,900,000 persons and

(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons potentially affected.

The Center Breach was reported as item 38 on page 16 of the U.S. Department of Homeland Security (“DHS”) “Daily Open Source Infrastructure Report for 1 April 2011.”  The DHS report quoted Center officials and the Center’s Director of Marketing and Public Relations as saying,

The computer was password protected, but not encrypted. The information in the   . . . file included patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record number. . .

The theft occurred late in the day March 11, but the hospital was not aware the computer had been stolen until March 14. On March 17, officials learned the backup patient file was on the stolen computer . . .  [T]he theft was reported to the Riverside County Sheriff’s Department March 18. The file was a backup file that was not displayed on the computer’s desktop.

In spite of the more than 500,000 individuals reported as having been affected by the Center Breach, the information made available to date by the Center has been sparse.  A visit to the home page of the Center’s own Web site does not reveal any mention of the Center Breach.  Similarly a search of the 1,446 items dating back to 2004 in the Center’s News Archives on its Web Site (the “News Archives”) has no reference to the Center Breach.

The only article in the News Archives relative to privacy, which appeared to be from early 2009, reported the rolling out by the Center of a privacy code system to augment guidelines for the use and disclosure under the privacy standards for PHI (excluding information available in the hospital directory) to a patient’s family, significant other and friends. That article also stated, “All Eisenhower employees are required to complete a mandatory privacy NetLearning training module in April.” 

(NOTE - The conclusion that the year of the privacy article in the News Archives was 2009 was only determinable from a review of surrounding news items. The News Archives are deficient because they have no reference as to the dates of postings, unless they are indicated in the bodies of the articles themselves.)

It is perplexing that a hospital of the stature of  Eisenhower Medical Center has been relatively silent about the Center Breach that has affected so many individuals.  Nor has the Center disclosed what, if any, proactive remedial actions it will be taking to avoid a similar occurrence in the future.  However, it is clear that more will be heard about this event, as CaliforniaHealthline.org has reported, "The not-for-profit medical center is sending notification letters to affected patients, and the California Department of Health will investigate the incident."

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth Litten and Michael Kline

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. As reported in a recent posting, prior to yesterday, the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network was perhaps the largest marcher in the parade of large PHI security breaches with a reported 1,700,000 persons potentially affected.  As of March 14, 2011, it appears Health Net is grappling with a breach that could involve as many as 1,900,000 persons, which would give it the distinction of having the largest and potentially loudest marching band in the Security Breach Parade.

This breach was described in a press release (issued by the California Department of Managed Care (“DMHC”):

The company [Health Net] announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare. Health Net is conducting an investigation into the drives discovered missing from its Rancho Cordova data center.  

Health Net issued a press release that does not mention the number of persons affected, and implies that its vendor, IBM, may have responsibility for the breach:

This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information. While the investigation continues, Health Net has made the decision out of an abundance of caution to notify the individuals whose information is on the drives. To help protect the personal information of affected individuals, Health Net is offering them two years of free credit monitoring services, including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance. These services will be provided through the Debix Identity Protection Network.

Health Net’s press release then (tautologically, since the press release is accessible under the “Newsroom” link at the bottom of Health Net’s home page) directs readers to Health Net’s website for more information. I was unable to find additional information about the breach or Health Net’s investigation on the website. It’s good to know that, “out of an abundance of caution” (and at what must be quite an abundance of expense), Health Net will be notifying the 1.9 million affected persons and offering them two years of free credit monitoring services. Perhaps the next large entity entrusted with PHI will exercise an “abundance of caution” by encrypting the information contained on its server drives to avoid having to march in the ever-growing Security Breach Parade. 

Health Net, however, is no stranger to the Security Breach Parade. As reported previously on this blog series, Health Net and its affiliates have made payments to the states of Connecticut and Vermont in actions brought by the respective attorneys general of those states for HIPAA/HITECH violations. It does not end there. Today the Attorney General of the State of Washington published a release that Health Net had informed the Washington Attorney General’s Office on Monday that “approximately 39,877 Washington residents” may be affected by a data breach. This developing situation warrants continued monitoring.

• Print
• Comments
• Trackbacks
• Share Link

The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of breaches of Protected Health Information (“PHI”) have brought to light an increasing volume of breaches of PHI involving highly respected and sophisticated providers and insurers. On November 21, 2010, a posting on this blog discussed a PHI security breach (the “September 2010 Breach”) involving Henry Ford Health System in Michigan (“Henry Ford” or the “health system”) that was discovered by the health system on September 24, 2010. A follow-up posting in this series on November 24, 2010 reported that 3,700 individuals had been affected in the September 2010 Breach.

On February 25, 2011, Robin Erb, Medical Writer at the Detroit Free Press, wrote an article entitled, “Lost Device Compromises Medical Information of 2,777 Patients” relative to another security lapse in less than a year within Henry Ford (the “January 2011 Breach”). According to Ms. Erb, an employee of the health system lost a flash drive with information on 2,777 patients on January 31, 2011.

As Ms. Erb reported,

Hospital officials said it's unclear how the flash drive was lost. The device is not encrypted, as required to protect individual patients' information, officials said.

The information involved patients tested for urinary tract infections between July and October 2010 and included names, medical record numbers, test information and results.

While the first blog posting in this series about the November 2010 Breach gave a link to the Henry Ford posting of on its Web site about the security breach, that posting and link have apparently been already taken down by the health system. However, more than 500 other earlier stories dating back as far as March of 2005 remain on the Henry Ford News list. A visit today to the News list on the health system’s Web site also reveals that Henry Ford has made no posting to date about the January 2011 Breach.

HIPAA/HITECH provides that the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” The maximum time, therefore, for Henry Ford to notify the HHS about the January 2011 Breach is 60 days after the discovery date of January 31,2011 or April 1, 2011. Soon after notification by the health system to the HHS, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would add the January 2011 Breach. 

It is interesting that, while Ms. Erb’s article was published almost three weeks ago, nothing has apparently been published by Henry Ford about the January 2011 Breach on its Web site. Nor has the January 2011 Breach yet appeared on the HHS Web site. This matter warrants further monitoring.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The New York City Health and Hospitals Corporation’s North Bronx Healthcare Network (“HHC”) has recently become perhaps the largest marcher in the parade of PHI security breaches with a reported 1,700,000 persons affected. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that HHC had a PHI security breach on December 23, 2010 (the “Breach”). Of the 242 records currently reported on the HHS List, the Breach is by far the largest with 1,700,000 affected individuals. The Breach apparently resulted from a “Theft” of “Electronic Medical Record, Other.” 

Unlike some other participants in the parade of PHI security breaches that have been reported in this blog series, it is refreshing to see that HHC has tried to be forthright in its communication on the HHC Website. The information regarding the occurrence may be found in a number of ways, including a search for "PHI security breach" directly from the HHC Home Page or by clicking on "Publications and Reports" from the HHC Home Page and then clicking on "Press Releases" where the relevant Press Release dated February 11, 2011, is the only listing to date for 2011 (the “Press Release”).

The HHC breach can become a financially costly one for HHC, as it potentially affected information covering twenty years relative to (i) personal information such as social security numbers, names, addresses, and other information that may be used to identify individuals; (ii) personal information and patients' medical histories; and (iii) personal information and employees' health information. The Press Release states the following: “The loss of this data occurred through the negligence of a contracted firm [identified in the Press Release as GRM Information Management Services ("GRM")] that specializes in the secure transport and storage of sensitive data. There is no evidence to indicate that the information has been inappropriately accessed or misused.”  The Press Release also reported that HHC is making available free credit monitoring and fraud resolution services for one year to those affected individuals who request it.

The Press Release states that the information was stolen when "the GRM van was left unattended and unlocked while the driver made other pickups.  GRM reported the incident to the police and dismissed the driver of the vehicle.  To date, the files have not been recovered."  Therefore, it can be reasonably inferred from the Press Release that at least a portion of the financial burden for HHC from the Breach will be shared by GRM.  GRM may even have some type of liability insurance coverage that will pay for some of the expenses flowing from the Breach. 

In this regard, my partner Elizabeth Litten, Esq., had previously discussed in a blog entry in this series the need for healthcare providers and business associates to investigate the possibility of obtaining insurance covering potential losses arising out of large PHI security breaches. The case of HHC may encourage greater attention to this area.

The prominent posting of the Breach on the HHC website demonstrates that HHC has made a commitment to act responsibly and do more than what is (again borrowing a phrase from HITECH in a totally different context) “the minimum necessary” for communicating a large PHI security breach. This should accelerate the rehabilitation of confidence and relations with patients, employees and HHC’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. On January 19, 2011, a blog posting was made regarding two large PHI security breaches at The University of Rochester Medical Center (“URMC” or the “medical center”) in 2010 (the “2010 Breaches”). The posting reported that a review of the URMC website revealed no reference to either of the 2010 Breaches.

Shortly thereafter, I received the following comment from an anonymous “Dissent”:

The September 2010 breach is on their [University of Rochester (“UR”)] website.

You wouldn’t find it by searching the URMC site itself, though. I only found it by running the search on the main UR site.

The 2009 hack affecting 450 [individuals] wasn’t the medical center or PHI.

There was another 2009 incident that did involve the medical center, though, reported to the NYS CPB [New York State Consumer Protection Board]. It involved “insider wrongdoing,” but I do not know if PHI or patient data was involved or if [it] was employee data. The incident was never in the media and I never requested the report from NYS under FOI [Freedom of Information].

And yes, I think all entities should have links to disclosures prominently displayed or easy to find. 

Cheers,

/Dissent

I sincerely appreciate the knowledgeable information and clarification provided by Dissent. It is perplexing and somewhat illogical that the September 2010 Breach would be listed only on the UR website and not the separate comprehensive and extensive website of URMC, the institution at which the 2010 Breaches occurred. There is not even a cross-reference or link on the URMC site to the UR posting respecting the 2010 Breaches. 

Moreover, even with respect to the UR website, the posting respecting the September 2010 Breach should proactively inform affected individuals and the general public. The posting should not be so difficult to locate that only those who are specifically searching for the 2010 Breach with prior knowledge are likely to find it. Finally, query: why is the April 2010 Breach apparently not listed on either the UR or the URMC website?

As stated in my earlier blog entry, the posting of both of the 2010 Breaches on the URMC website in a reasonably prominent manner would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating large PHI security breaches. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

This blog series  has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The University of Rochester Medical Center (“URMC” or the “Medical Center”) joined in the parade of large PHI security breaches two times in 2010. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that URMC had two large security breaches during 2010 (the “2010 Breaches”). The first 2010 Breach posted for URMC on the HHS List on May 28, 2010, related to 2,628 individuals from an “Unauthorized Access of Paper Records” that occurred on April 19, 2010. The second 2010 Breach posted for URMC on the HHS List on September 21, 2010 related to 857 individuals from a “Lost Portable Electronic Device” that occurred on August 2, 2010. 

There are several interesting aspects about the URMC events. First, like the incident at University of Tennessee Medical Center discussed earlier in this blog series, URMC apparently has determined that it is not necessary or appropriate to publish the 2010 Breaches in the URMC Newsroom or elsewhere on the URMC website.  A review of the list of 345 stories presently posted in the 2010 News Archives on the URMC website revealed no reference to either of the 2010 Breaches.  

It is somewhat disappointing that URMC has chosen not to communicate with its Internet community on the 2010 Breaches, as numerous other institutions with large PHI security breaches have chosen to do. It is even more puzzling in light of the fact that Peter Chesterton, MBA, the long-time Chief Privacy Officer and Chief HIPAA Security Official for URMC, has been a recognized leader and lecturer in the area of PHI security and privacy. He is also currently listed as a member of the University of Rochester Data Security Taskforce in the Office of the Provost (the “Provost Taskforce”). 

Mr. Chesterton lectured at the 4^th Academic Medical Center Privacy and Security Conference on June 11, 2007 on the topic “Protecting PHI Shared with Private Physician Practices” and at the 5^th Academic Medical Center Privacy and Security Conference on March 2, 2009 on the topic “AMC Privacy and Security: New Challenges, NewSolutions – Best Practices for Compliance.”

As a matter of fact Slide 23 on “Recent Developments” in Mr. Chesterton’s 2009 presentation referred to a “recent security incident.” Presumably his reference was to a January 11, 2009 data security breach, which was reported by www.identitytheft.info  as having occurred at the University of Rochester (the “2009 Breach”), that involved 450 individuals from a “Hacked Database.”

It is not clear that the 2009 Breach involved PHI which is covered by HIPAA/HITECH or whether it related to the University of Rochester or URMC. In any event the 2009 Breach preceded the establishment of the HHS List and would not have been reportable on the HHS List had it been PHI because fewer than 500 individuals were affected. If the 2009 Breach related to the University of Rochester and not to the Medical Center, Mr. Chesterton’s knowledge of the 2009 Breach could have come from his membership on the Provost Taskforce.

Clearly Mr. Chesterton is not responsible for the publication policy of the URMC website or its news postings. However, I believe that the multiple occurrences of PHI security breaches in 2010 at URMC and is a serious matter. The posting of the 2010 Breaches (and the 2009 Breach if it related to the Medical Center) on the URMC website would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating a large PHI security breach. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.

On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on volunteertv.com. In the article, Ms. Starke reported that UTMC had announced that 8,000 patients' medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."

What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.

Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.

A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.

• Print
• Comments
• Trackbacks
• Share Link

My colleague, Michael Kline, has been regularly reporting on this blog about the parade of Protected Health Information (PHI) privacy and security breaches that are occurring at large, sophisticated hospital systems, such as the Henry Ford Health System in Michigan, and health insurance carriers, such as Wellpoint, Inc. in Indiana.  A recent breach at the Puerto Rico Department of Health involved an estimated 400,000 individuals.  Breaches involving more than 500 individuals, including those referenced in this paragraph, must be reported to the Secretary of Health and Human Services (HHS) and can be accessed at the HHS Web site. 

If state agencies, insurance carriers, and large health care systems are vulnerable to the devastating aftermath of large breaches, how can a smaller covered entity, such as a free-standing specialty hospital or a physician practice group, or a business associate or subcontractor whose business does not revolve around or even frequently involve PHI, effectively limit its vulnerability to the heavy costs of a PHI security breach?

Whether HIPAA/HITECH privacy and security issues are in the forefront of an entity's compliance mindset or are a periodically worrisome background buzz, an entity should investigate measures to protect itself against privacy and security breaches and the ensuing economic costs associated with investigation of the potential breach, notice to affected individuals and, potentially, HHS, damage to reputation, remediation and protection actions, and, possibly, penalties, fines, and other damages asserted by the government or third parties.

I was intrigued to learn recently of a type of relatively new insurance coverage called "Privacy & Computer Security Protection." This coverage may be a good option for those among us who worry that even airtight, well-implemented policies and procedures may not be enough. Whether a breach results from human error (a typical cause for breach) or from organized or individual cyber crime such as hacking and stolen laptops (a less typical, but increasing risk), insurance companies such as Chartis, Beazley, and Hiscox are willing to underwrite certain computer security risks and cover specified losses that may be incurred by an insured from a PHI security breach.

According to my friends at Marsh USA Inc. (an insurance broker and an original creator of "cyber" policy forms), subject to the results of an underwriting pre-assessment of risks specifically associated with an entity that is applying for insurance coverage against losses from a PHI security breach, such an entity may pay as little as about $20,000 for $1 million in coverage. Insurance protection might cover claims arising from actual or alleged breaches of duty, neglect, or other acts, errors, or omissions that result in disclosure of PHI or other confidential information; vicarious liability for privacy breaches of an entity's vendor/subcontractor; costs associated with defense of regulatory actions; costs associated with compliance with PHI breach notification requirements, costs associated with public relations/crisis management professionals, etc.

The extent of financial risk involved in the HIPAA/HITECH security breach context is daunting. The cost of just setting up and operating a toll-free line for PHI security breaches involving 3,000 individuals is estimated by the federal Office of Civil Rights to be upwards of $8 million (table on page 42764).

I plan to review and report back in future blog postings on the current coverage options specifically designed to protect against the costs of HIPAA/HITECH security breaches, gaps that may exist in the currently available coverage and other related matters.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

On November 21, 2010, a posting on this blog discussed a PHI security breach involving Henry Ford Health System (“Henry Ford” or the “health system”).

The blog posting observed that the disclosure by Henry Ford on its Web site did not divulge the number of patients affected by the security breach. As discussed in the posting, the required time frame for the health system to notify the U.S. Department of Health and Human Services (“HHS”) is the same as that for notifying affected patients; therefore, the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals would soon reveal the number of affected patients. Indeed, a visit today to the HHS Web site reveals that the Henry Ford security breach is now listed and that the breach affected 3,700 patients. 

It is somewhat perplexing as to why the health system would have chosen not to have reported the number of affected patients on its own Web site. While every PHI security breach is costly and makes providers and insurers potentially vulnerable to embarrassment, criticism and diminished reputation, proactive transparency assists in rehabilitating relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

The giant Henry Ford Health System (“Henry Ford” or the “health system”) in Michigan has joined the march. On November 19, 1010, Henry Ford posted on its Web site a “Required Substitute Notice” (the “Notice”) under HIPAA/HITECH. The Notice discloses that the health system has notified and apologized to “affected patients” that their information related to prostate services received between 1997 and 2008 was affected by a breach of unsecured PHI.  Henry Ford reported that it learned on September 24, 2010, that  “an employee's laptop computer storing the information was stolen from an unlocked urology medical office.” 

While no Social Security numbers, health insurance identification numbers or medical records were apparently stored on the stolen laptop, other elements of PHI were present on the laptop. To provide support for those affected by the PHI breach, as has been done by other providers and insurers, Henry Ford has responsibly offered a free year of identity monitoring, protection and remediation service to the potential victims. 

There are a number of interesting aspects of the Notice itself. The Notice states that “[u]nder federal law, health care organizations are required to notify patients within 60 days of a breach of unsecured health information.” As stated in an earlier posting on this blog, the time frame for providers and insurers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.”

If the PHI breach was discovered by Henry Ford on September 24, 2010, the sixtieth day would be November 23, 2010. Therefore, that part of the notification requirement was clearly satisfied. It is a factual matter, however, as to whether, under the circumstances, the notification by the health system on or about the 53^rd day met the other standard that notice was provided “without unreasonable delay.”

Another aspect of the Notice was that it did not disclose the number of affected patients. A visit today to the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals reveals that the Henry Ford security breach is not yet posted.  Since the required time frame for the health system to notify the HHS is the same as that for notifying affected patients, the HHS Web site should soon post such information.

Perhaps one of the most concerning aspects of the security breach is the report by Henry Ford that “[w]hile the laptop was password protected, the patient information stored on the computer could potentially be viewed on the computer.” Chief Privacy Officer of Henry Ford, Meredith Phillips, was quoted as saying that, to prevent future patient information breaches, “employees will be re-educated in the steps necessary to protect patient information stored on computers.” She also stated that  “the process will be improved for how employees obtain a laptop computer for work purposes.”

Henry Ford is taking reasonable measures to forestall another similar incident. Clearly, however, current technological security protection practices, such as passwords, even if followed as in the Henry Ford case, are not sufficient to avoid a security breach. Unfortunately, re-education of employees and adding new limitations on issuance of laptops will not protect providers or insurers against negligence, rogue employees who may download PHI on their own computers,

outright thieves within or without the organization, computer hacking and a host of other threats. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself. 

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing to light new breaches of PHI security and direct intervention by attorneys general with respect to such breaches. 

An earlier posting reported that Richard Blumenthal, as Attorney General of Connecticut, has been especially prominent in investigating PHI security breaches affecting individuals in his state. He also distinguished himself by successfully recovering for Connecticut the first state settlement for PHI security breaches under HIPAA/HITECH in an amount of $250,000. 

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. It was pointed out in the earlier blog posting that nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches. In this regard, on October 29, 2010, the Indiana Attorney General's office announced in a press release (the “Press Release”)  that it had filed a lawsuit against Indianapolis-based WellPoint, Inc. (“WellPoint”), claiming that “the health insurance provider did not notify their customers or the Attorney General's office in a timely manner following a data breach earlier this year affecting more than 32,000 Hoosiers.”

Significantly, the lawsuit, which seeks $300,000 in civil penalties, is not being brought under HIPAA/HITECH but, according to the Press Release, under Indiana state law, which “requires businesses to notify both the individuals potentially affected by a data breach, as well as the Attorney General's office without unreasonable delay.” 

According to the Press Release, WellPoint was notified as early as February 22, 2010 and again on March 8, 2010 that health insurance application records containing personal information, such as social security numbers, financial information and health records, were accessible through its public website.  However, the Attorney General alleges that WellPoint did not begin notifying customers of the security breach until June 18, 2010 (over 100 days after WellPoint reportedly learned of the breach).  The Press Release continues that, following news reports of the breach, the Attorney General's office submitted an inquiry to WellPoint and received a response on July 30, 2010 (at least 144 days after WellPoint reportedly learned of the breach). The Press Release states that the WellPoint “delays in notice both to customers and to the Attorney General's office are considered unreasonable.”

HIPAA/HITECH has a more objective standard than the term “unreasonable delay” of the Indiana statute. Under HIPAA/HITECH, the time frame for insurers and providers to give notice to affected individuals and the U.S. Department of Health and Human Services of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.” WellPoint would clearly be well outside the 60-day limits for notification.  

It is not clear what led the Indiana Attorney General to determine to proceed under state law rather than HIPAA/HITECH, especially given the objective outside limit of 60 days under HIPAA/HITECH and the above-mentioned success of Mr. Blumenthal in Connecticut. Perhaps the decision was made in order to bring the action in the Indiana state courts rather than the federal courts, or there are facts and circumstances that the Attorney General believed favor use of the state law.

In any event, it can be expected that other attorneys general around the country will follow suit in vigorously investigating PHI security breaches and seeking civil monetary payments under HIPAA/HITECH and/or state law. Prompt, decisive and positive action will be required of insurers and providers to maximize damage control, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties for undue delay in notification of PHI security breaches. 

• Print
• Comments
• Trackbacks
• Share Link

Note: The title and substance of this blog entry has been substantially amended in response to a helpful comment by an anonymous fellow blogger. I am grateful that others are reading our blog posts and have sufficient interest in the topic to comment. To assist readers, the highly appreciated comment is set forth in full as follows:

I read your blog post, "MISSING FROM THE PARADE OF LARGE PHI SECURITY BREACHES - REASONABLY PROMPT POSTING BY THE SECRETARY OF HHS ON THE HHS WEBSITE," and wanted to let you know:

You've been looking at the wrong url. The HHS breach list has been updated frequently since June, but they moved the breach report url to here in July.

HHS never put a forward, redirect, or notice on the old url, and I've seen a number of sites, like yours, misled by the unannounced move and I've tried to let fellow bloggers know.

When you go to the new page, note that there are also csv and xml formats. Those files may, in some cases, be a bit more current than the list you see when you go to the web site.

Hope this helps.

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), relating to public disclosure of security breaches of Protected Health Information (“PHI”), has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated healthcare providers and insurers (generally, “covered entities”). 

The HITECH Act requires covered entities to notify, among others,  Kathleen Sibelius, Secretary (the “Secretary”), of the U.S. Department of Health and Human Services (“HHS”), respecting a PHI breach involving 500 or more individuals. The notification to the Secretary is to be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of PHI. . . .” 

What is supposed to happen, however, when the Secretary receives the report of a PHI breach involving 500 or more individuals? The Website “HIPAA Survival Guide” quotes Section 13402(e)(4) of HITECH as follows:

(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach . . . in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Unfortunately, the original URL address (the “Old URL”) for the HHS list relative to breach notification (the "List") was changed by HHS with no apparent notice in July 2010 and has not been updated since that time. From late June 2010 until the original posting of this blog entry, I was visiting the Old URL on at least a weekly basis on the assumption that HHS had simply not been updating the List on a timely basis. 

A fellow blogger advised me that HHS changed the Old URL to a new URL (the “New URL”) but never put a forward, redirect or notice on the Old URL as to the change. It would seem reasonable and relatively easy for the Secretary at a minimum to do one or more of the following to assist those who may mistakenly visit the obsolete Old URL:

(1) keep the Old URL, while prominently placing on the old URL information about the change to the New URL;

(2) close the Old URL and automatically redirect visitors to the New URL; and/or

(3) issue a press release or notice about the change from the Old URL to the New URL and post it prominently on the general HHS Website.

It is not too late for the Secretary to correct any further misunderstandings by appropriate action. If HHS is serious about encouranging compliance by covered entities, HHS should lead by example and act reasonably with respect to its own statutorily-mandated HITECH responsibilities.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

Many Covered Entities (CE) and Business Associates (BA) (and now, Subcontractors (SC) as well) are using a variety of approaches to limit exposure to liability and the potentially dire consequences associated with security breaches of Protected Health Information (“PHI”).  Recently, we have noticed “PHI Warnings” in email and facsimile transmissions, by which CE, BA, or SC warn unintended recipients not to transmit or re-send PHI to third parties.  Such PHI Warnings are being routinely used by hospitals, providers, health insurers, law firms and others that create, receive, maintain, or transmit PHI.  Such PHI Warnings should be used and worded with caution, however.

For example, instructions such as the following sample may be found at the bottom of a CE’s email transmission:

Email Confidentiality Notice:  The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  This transmission is intended for the sole use of the individual or entity to whom it is addressed.  If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing  or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties.  If you have received this transmission in error, please contact the sender immediately by replying to this email and deleting this email and any attachments from any computer.

Unfortunately, if an unintended (or unprepared) recipient of such PHI reads this message and follows the sender’s instruction by “replying” to the email, such recipient could be unintentionally perpetuating or re-publishing the breach.  Particularly in a case where the original email was sent to a number of recipients, a “reply” could easily become a “reply to all” and have the effect of re-sending (and announcing) PHI to new unintended third parties. Such a result could make it much more difficult for the original sender to ascertain the total scope of the security breach in its subsequent remediation and compliance efforts.

Moreover, such PHI Warnings should only be used in the context of overall HIPAA/HITECH policies and procedures of the sender.  For example, if the unintended recipient were a BA or SC of the sender, the attempt to comply with the sender’s instructions could actually conflict with, and result in a breach of, the parties’ Business Associate Agreement (“BAA”).

The following sample avoids the problem described above by providing an alternative  method of notifying the original sender but perhaps may still be “too little, too late,” as a serious PHI security breach may have already occurred:

This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of ______________ and the recipient(s) named above.  If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited.  If you have received this transmission in error, please notify the sender immediately at 800-xxx-xxxx and permanently delete this email and any attachments.

Finally, if PHI is sent to a recipient prior to the parties’ execution of a compliant BAA and implementation of policies and procedures to protect PHI properly, a PHI Warning is unlikely to mitigate the liability of the sender (or recipient) for a security breach under HIPAA/HITECH.

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have continuously been bringing to light new breaches of PHI involving highly respected and sophisticated providers and insurers.  With the authorization by HITECH of enforcement of HIPAA/HITECH violations by state attorneys general, direct intervention by attorneys general have been taking place. 

Richard Blumenthal, the Attorney General of Connecticut and a candidate for U.S. Senate, has been especially prominent in his prompt launching of investigations of PHI security breaches affecting individuals in his state. 

For example, on August 18, 2010, Yale School of Medicine reported that it had begun notifying approximately 1,000 individuals whose clinical health information was contained on a laptop computer that was stolen.  On the heels of that disclosure, Attorney General Blumenthal announced, “My office has begun an investigation to identify the cause of the breach and assure ongoing protections for patients.”

One day later on August 19, 2010, ctwatchdog.com reported that Mr. Blumenthal had announced an investigation into another security breach, this time at the University of Connecticut where a laptop containing private financial information on 10,174 applicants was stolen.

These new disclosures by Mr. Blumenthal are only the latest in his parade of investigations of PHI security breaches.  The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time.   

Under HITECH, state attorneys general are authorized to bring civil suits in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations.  The attorneys general can sue for injunctive relief and/or damages and attorney fees.  Moreover, HIPAA/HITECH does not prevent a state attorney general from exercising powers under state law respecting PHI security breaches.

In July 2010 Mr. Blumenthal distinguished himself in an earlier case by successfully recovering for Connecticut the first state settlement under HIPAA/HITECH with healthcare insurer HealthNet and its affiliates in an amount of $250,000 for alleged health data security breaches.  Mr. Blumenthal had charged HealthNet with failing in May 2009 (i) to protect properly private patient medical records and financial information on nearly 500,000 Connecticut enrollees and (ii) to promptly notify consumers endangered by the breach.

The actions, visibility and financial success from Mr. Blumenthal’s numerous PHI security breach investigations in Connecticut are likely to stir other attorneys general around the country to follow suit.  These actions can be very disruptive for providers and insurers who suffer a PHI security breach even if no settlement payment is necessary. 

For example, HIPAA/HITECH gives such providers and insurers up to 60 days for internal investigation before requiring a report to the U.S. Department of Health and Human Services and public disclosure respecting a PHI breach involving 500 or more individuals.  However, early publicity by an attorney general prior to the passing of the 60-day period may force a public statement by a provider or insurer before it has completed its own internal investigation and prepared an orderly public disclosure and response.  Prompt, decisive and proactive action will be required of such a provider or insurer to maximize damage control and rehabilitate relations with clients and the public in advance of the expiration of the 60-day HIPAA/HITECH period.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been reporting on the effects on providers, insurers and others of the HIPAA/HITECH statutes and regulations that require public disclosure of breaches of unsecured Protected Health Information ("PHI"). While the greatest attention under HIPAA/HITECH has been on electronic health records ("EHR"), the increasing inventory of billions of hard copy pages of paper health records containing PHI ("Paper HR") is a continuing material hazard for providers and insurers and their respective business associates and subcontractors. 

Because a large Paper HR security breach involves a bulk mass of paper, it generally may impact only a fraction of the number of individuals that can be affected by a typical EHR security breach. Nonetheless, the vigilance necessary to prevent a Paper HR security breach must be at a high level. Even where the proper measures appear to be in place, a PHI security breach may occur, giving rise to costs of notifying affected individuals and potential collateral damage. 

Liz Kowalczyk identified a case in point in her article  on August 13, 2010 in The Boston Globe.  She reported that four Massachusetts community hospitals were investigating how thousands of patient health records, some containing Social Security numbers and sensitive medical diagnoses in addition to "patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages" ended up in a pile at a public dump.

The Kowalczyk article stated that one of the four hospitals believes that records of 8,000 to 12,000 patients may have been affected and another of the hospitals believes that records of 16,000 to 24,000 patients may have been affected. Ms. Kowalczyk explained that a major issue to be sorted out is who is responsible for the improper disposal of Paper HR, thereby imposing on that person, as required by HITECH,  the obligation to notify all individuals who may have suffered a compromise of their PHI.

It should be noted that there can be other substantial collateral damage in the aftermath of a PHI security breach for responsible parties, including heavy penalties and potential damages.

If the number of affected patients reported in the Kowalczyk article proves to be correct, this event would rank among the largest reported PHI security breaches involving Paper HR. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the U.S. Department of Health and Human Services has posted a list (the "HHS List") of all reported breaches of unsecured PHI affecting 500 or more individuals ("Large Breaches").

As of August 14, 2010, there were 108 separate postings of Large Breaches on the HHS List for events dating back to September 22, 2009.  Of this number, 22 postings were listed that related to Paper HR and impacted an aggregate of approximately 76,000 individuals.  Three of the Paper HR postings were identified as breaches involving "improper disposal."

The largest single posting on the HHS List respecting Paper HR was an event on January 26, 2010 that was reported for UnitedHealth Group and affected 16,291 individuals. Therefore, the potential PHI security breaches reported in the Kowalczyk article appear to affect collectively far more individuals than any single Paper HR event that is on the HHS List as of August 14, 2010.

If individual Paper HR security breach events are compared in magnitude to EHR events, however, as of August 14, 2010, there were eleven separate postings on the HHS List reported for PHI breaches that involved EHR and affected individuals ranging between 40,000 and 1,220,000 in number.  Therefore, the risks of large security breaches of PHI appear to be most significant for EHR.  However, as this blog has observed earlier, the public disclosures required by HIPAA/HITECH for a security breach respecting PHI often bring embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, there must be heightened efforts to avoid PHI security breaches for both Paper HR and EHR.  In many cases breaches have occurred even if apparently reasonable policies, procedures and precautions have been established.  If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

The requirements under the HIPAA/HITECH statutes for public disclosure of security breaches of Protected Health Information (“PHI”) has brought to light a remarkably diverse parade of breaches of PHI.  It has often encouraged providers and insurers to go well beyond the minimum legally required response as a matter of good business relations.

Courtney Perkes reported in the June 23, 2010 issue of The Orange County Register (“OCR”) that 230,000 Anthem Blue Cross (“Anthem”) customers in California had been sent letters informing them that their personal information might have been accessed during a security breach of the Anthem website. The article pointed out that the recipients of letters were limited to those who were applying for insurance because the potential breach related to the ability of the applicants to track on-line progress of their applications.

Ironically the article further noted that the source of the potential breach was the access of PHI primarily by attorneys seeking information on applications for a putative class action lawsuit against Anthem brought by “a Los Angeles County resident who discovered that her application for insurance was available for public view.”  According to the article, Anthem sent out the notices to 230,000 Californians out of an 'abundance of caution' because the actual number of files that had been accessed was unclear.

The Anthem matter involves an insurer for which a breach can involve substantial PHI for hundreds of thousands, or even millions, of  subscribers.  As one person who was quoted in the OCR article stated: 'There's not one place that has more information on you than your health insurer.  It's the absolutely most personal level of information all the way down to Social Security numbers. That would be about the last place I would want someone to gain access.'

For its part, like numerous other providers and insurers that have experienced PHI security breaches, Anthem has offered a free year of identity protection service to the recipients of notices.  The information that was improperly obtained has apparently been returned by the attorneys to a custodian in the court system.

The public disclosures required by HIPAA/HITECH for security breaches respecting PHI make insurers and providers vulnerable to commercial embarrassment, criticism and loss of reputation that may actually dwarf the legal costs and statutory consequences of the security breach itself.  To this end, insurers and providers should act responsibly to avoid security breaches in the first place.  If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with consumers.

• Print
• Comments
• Trackbacks
• Share Link

The scope of the October 2009 theft of Tennessee Blue Cross Blue Shield's hard drives,  initially estimated to involve 500,000 individuals, has grown to nearly a million subscribers, according to a updated notice posted on the insurance giant's web site on April 6, 2010.

The company has classified the risk level into three tiers, with the most serious category, Tier 3, involving the disclosure of the individual's name, address, BlueCross member ID number, diagnosis, Social Security number and/or date of birth.   The 238,589 Tier 3 members have been offered free credit monitoring for one year, free identity monitoring through LifeLock Identity Alert™, and  Kroll ID TheftSmart program free for one year.  Subscribers in Tier 1 (447,549 members) and Tier 2, (312,284 members) whose data exposure was less comprehensive, are being offered a reduced package of remediation services.

The stolen hard drives contained audio and video training recordings, not text or data base records.  The delay in identifying additional affected members may have been the result of the compromised files requiring individual review.  As of April 2, 2010, the total tally has reached 998,422, of which 550,873 have been notified of the breach and their rights so far.

The cost of investigating and remediating this high-profile breach should serve as a wake-up call to all covered entities and business associates.  If your data is not properly secured and encrypted, all it takes is the loss or theft of a few laptops, smart phones, thumb drives or other storage media to generate serious expense, not to mention PR damage.

• Print
• Comments
• Trackbacks
• Share Link

As required by Section 13402(e)(4) of the HITECH Act, The Office of Civil Rights of the Department of Health and Human Services has posted a list of PHI breaches affecting 500 or more individuals.  Fifty-three covered entities appear, including hospitals, physician practices, dental practices, insurers, and several state agencies.  The most common causes of the breaches reported are theft or unauthorized access of a laptop, desktop computer or portable device, but other incidents reported involved lost or stolen paper records, phishing scams and hacking, backup tapes, and even postcards.

You can access the list here.  This is a list you don't want to be on.   

• Print
• Comments
• Trackbacks
• Share Link

Chalk this one up to a flimsy envelope. Highmark Blue Cross Blue Shield has reported that approximately 3700 of its customers' personal data was lost as a result of a torn and damaged envelope sent to an employer containing names and social security numbers.  The insurer is offering a year's free credit monitoring service to affected individuals.   Highmark is also complying with the HITECH Act's breach notification rules, including notifying media, since the breach involved more than 500 people in one state.  See Highmark tells customers personal information lost

Lesson: Use stronger envelopes when mailing sensitive data.  Sometimes data protection is that simple.

• Print
• Comments
• Trackbacks
• Share Link

The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI).  Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records.  Both HHS' and FTC's  “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period.   However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules.  Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act's security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS' Interim Final Breach Notification Rule.

• Print
• Comments
• Trackbacks
• Share Link

On April 17, 2009, the federal Department of Health and Human Services (HHS) issued guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).  The guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH).  HITECH requires these regulations to be published within 180 days of enactment.  If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached !

In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.  Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.   View the HITECH Breach Notification Guidance and Request for Public Comment.

The guidance must be updated annually, but HHS may update and reissue it this year, after public comment is considered and at the same time HHS’s breach notification regulation is published.

• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (FTC) posted its proposed rule today implementing new breach notification requirements for health records, which were required to be promulgated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  The FTC rule will apply to vendors of personal health records and related entities not covered directly by HIPAA.  

The Department of Health and Human Services is required to issue by August 17, 2009 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA, namely Covered Entities (health care providers; health plans; clearinghouses) and now, as a result of the HITECH Act, Business Associates.  

To review the text of the FTC's proposed rule, click here.  Public comments are due on June 1, 2009.

• Print
• Comments
• Trackbacks
• Share Link

The FTC published the Red Flag rule on November 9, 2007.   However, over the last year there was considerable confusion and uncertainty about whether the rule, which is primarily geared toward financial institutions and other lenders, also applied (or should apply) to healthcare providers.   However, on October 15, 2008, the Office of the National Coordinator for Health IT (ONC) sponsored a Medical Identity Theft Town Hall and, on the same day, posted a document titled "Medical Identity Theft Environmental Scan" which, among other things, confirms that the FTC's Red Flag Rules extend to "entities outside of the traditional financial institutions, including entities in the health care industry."   The FTC's June 2008 Business Alert  also specifically noted that "nonprofit entities and government entities that defer payment for goods and services [are] considered 'creditors'" for purposes of the rule.

The compliance deadline for implementing Red Flags is fast approaching on November 1, 2008.    UPDATE: On October 22, 2008, the FTC delayed the compliance deadline for Red Flag requirements pertaining to identity theft for six months.  The new compliance deadline is now  May 1, 2009. 

A broad application of the Red Flag rules to the healthcare sector has likely been embraced because of an increased awareness that medical identity theft is a growing issue in healthcare;  And, it is hoped that Red Flags will assist with combating this risk.  To comply with the Red Flag rule requirements, hospitals must have a plan in place to detect, mitigate, and prevent red flags that signal potential identity theft.  Covered Entity providers may note that an effective HIPAA privacy and security compliance program contain many safeguards (i.e., access controls, person/entity authentication, audits etc.) that already accomplish some of what the Red Flag rules require.

For a sample medical identity theft policy, visit the website of Health Ethics Trust.  The World Privacy Forum also published a report on September 24 entitled "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers" that is helpful.

• Print
• Comments
• Trackbacks
• Share Link

The Atlanta Journal-Constitution reported yesterday that last week BC/BS of Georgia sent over 202,000 EOB letters to the wrong addresses.  Apparently the letters were mistakenly directed to the addresses of other policyholders, and included patients' names and insurance identification numbers, their doctors names, and in some cases Social Security numbers.   The United Press International also reports that "Blue Cross said the problem was the result of a change in the computer system that was not properly tested."   Patients with sensitive diagnoses, like HIV/AIDS and other conditions, are particularly upset.   Identity theft is also a big concern.

Georgia's Insurance Commissioner, John Oxendine, ordered BC/BS of Georgia to give written notice to policyholders whose names were on the explanation of benefits letters and compile a list of names of those who mistakenly received the forms (Georgia also has an enacted Security Breach Notification Law).  The Commissioner is also "requiring the company to give a year of free credit monitoring to all affected customers," due to the risk of identity theft.           

• Print
• Comments
• Trackbacks
• Share Link

Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom.  According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital. 

The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas.  When one of the boxes was not received, the auditor contacted hospital officials.  The hospital then got in touch with UPS and attempted to determine the location of the third box.  The hospital's risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands.  As luck would have it, it did - although it could have been much worse than ending up in the hands of a fourth grade teacher. 

The mishap raises a few interesting questions.  One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination.  Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper.  I will offer my thoughts with regard to the first question on this post.  I invite you to check back for my response to the second question. 

Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.  In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule.  45 C.F.R. 164.530(f).  HIPAA does not contain a mandatory security breach notification requirement.   Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information. 

The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws.  In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store.  Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system.  If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason. 

As it turns out, however, the box did end up in unintended hands.  In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor.  If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse.  However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost.  Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.

Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands.  A few come to mind.  One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender.  Another  is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents.  Finally, use a mail carrier with a system that can allow a package to be tracked down.

Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital? 

• Print
• Comments
• Trackbacks
• Share Link

Information technology and processing vendor SAIC recently announced on its website www.saic.com that a data security beach placed protected information of about 867,000 individuals at risk for compromise.  SAIC (Science Applications International Corporation) is a Fortune 500® company and the contractor for the TRICARE military health program. The affected information, including demographic data, Social Security numbers and some medical information, was stored on an unsecured server at one location, and some unencrypted information was transmitted over the Internet. SAIC indicates that a forensic analysis found no evidence data was compromised, but it acknowledged that the possibility exists.

What may be the most interesting aspect of this particular data breach incident is the manner in which SAIC responded.

• Print
• Comments
• Trackbacks
• Share Link

The media loves to report horror stories about privacy breaches that result in voluminous amounts of private health information being disclosed.  There were numerous reports of privacy breaches in 2006 and there will certainly be more in 2007.  Breaches in security and privacy are serious matters and steps must be taken to "mitigate harm."  In addition, increasing concerns with identity theft have led numerous states to pass security breach notification laws that require covered entity providers to take affirmative step to notify the affected individuals in the event of such a breach.  Such notification is not mandated under HIPAA. 

The National Conference of State Legislatures (NCSL) reports on its website that as of January 9, 2007, at least 35 states have enacted legislation that requires companies and/or government agencies to disclose security breaches involving personal information to the individuals potentially affected.  Providers should determine if their state has enacted a security breach notification law.  

Meanwhile, here is a list of some fairly recent and highly-publicized breaches that resulted, in at least some cases, a staggering amount of protected health information being compromised:
 

• Print
• Comments
• Trackbacks
• Share Link