This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.

The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.

The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital's Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.  

The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.

A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.

The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.

Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.

• Print
• Comments
• Trackbacks
• Share Link

On June 24, 2011 Steve Lohr reported in The New York Times that Google is ending its three year initiative into the world of online storing by consumers of personal health records.  Google Health had promoted this as a significant application of its “cloud computing” platform. 

A visit to the Google Health Web site reveals the following statement:

An Important Update about Google Health

Google Health will be discontinued as a service.

The product will continue service through January 1, 2012.
After this date, you will no longer be able to view, enter or edit data stored in Google Health. You will be able to download the data you stored in Google Health, in a number of useful formats, through January 1, 2013.

The Lohr article quotes a blog posting of Aaron Brown, senior product manager for Google Health, to which the Google Health Web site also directs readers. Mr. Brown states that the goal of Google was to “translate our successful consumer-centered approach from other domains to health care and have a real impact on the day-to-day health experiences of millions of our users.”  However, Mr. Brown admitted in his blog post, “Google Health is not having the broad impact we had hoped it would.”

Mr. Lohr points out, “Google is by no means the only company to abandon the field of consumer health records. Revolution Health, for example, retired its personal health record service last year, citing few users.”  He also quoted others who attributed the lack of users to a variety of causes, including heavy and continuous demands on the time of consumers to maintain current, accurate and complete online health records, loss of consumer appetite to other more appealing computer applications, the complexity of the health field, and greater success of online health records when providers or insurers are partnering in the process.

A significant reason for the lack of attraction to Google Health that was not mentioned in the Times article may be the reasonable uneasiness that consumers have about privacy and security of their personal health information (“PHI”). In April 2010, a posting was entered on our blog series entitled, “Does the Reported Massive Theft of Password Information at Google Undermine Confidence in the Privacy and Security of Google Health.” That posting addressed PHI privacy and security problems experienced by Google Health at that time. Specifically, according to a Times article by John Markoff, Google Health suffered a breach of the password system  that controlled access by millions of users worldwide to almost all of the company's Web services, including email and business applications. 

Thus the conclusion of our April 2010 posting may have been another significant reason for the termination of the Google Health experiment in online personal health records:

If the reported security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google [Health Privacy] Policy may lead one to believe. . . . The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation. 

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.

On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on volunteertv.com. In the article, Ms. Starke reported that UTMC had announced that 8,000 patients' medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."

What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.

Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.

A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

The giant Henry Ford Health System (“Henry Ford” or the “health system”) in Michigan has joined the march. On November 19, 1010, Henry Ford posted on its Web site a “Required Substitute Notice” (the “Notice”) under HIPAA/HITECH. The Notice discloses that the health system has notified and apologized to “affected patients” that their information related to prostate services received between 1997 and 2008 was affected by a breach of unsecured PHI.  Henry Ford reported that it learned on September 24, 2010, that  “an employee's laptop computer storing the information was stolen from an unlocked urology medical office.” 

While no Social Security numbers, health insurance identification numbers or medical records were apparently stored on the stolen laptop, other elements of PHI were present on the laptop. To provide support for those affected by the PHI breach, as has been done by other providers and insurers, Henry Ford has responsibly offered a free year of identity monitoring, protection and remediation service to the potential victims. 

There are a number of interesting aspects of the Notice itself. The Notice states that “[u]nder federal law, health care organizations are required to notify patients within 60 days of a breach of unsecured health information.” As stated in an earlier posting on this blog, the time frame for providers and insurers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.”

If the PHI breach was discovered by Henry Ford on September 24, 2010, the sixtieth day would be November 23, 2010. Therefore, that part of the notification requirement was clearly satisfied. It is a factual matter, however, as to whether, under the circumstances, the notification by the health system on or about the 53^rd day met the other standard that notice was provided “without unreasonable delay.”

Another aspect of the Notice was that it did not disclose the number of affected patients. A visit today to the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals reveals that the Henry Ford security breach is not yet posted.  Since the required time frame for the health system to notify the HHS is the same as that for notifying affected patients, the HHS Web site should soon post such information.

Perhaps one of the most concerning aspects of the security breach is the report by Henry Ford that “[w]hile the laptop was password protected, the patient information stored on the computer could potentially be viewed on the computer.” Chief Privacy Officer of Henry Ford, Meredith Phillips, was quoted as saying that, to prevent future patient information breaches, “employees will be re-educated in the steps necessary to protect patient information stored on computers.” She also stated that  “the process will be improved for how employees obtain a laptop computer for work purposes.”

Henry Ford is taking reasonable measures to forestall another similar incident. Clearly, however, current technological security protection practices, such as passwords, even if followed as in the Henry Ford case, are not sufficient to avoid a security breach. Unfortunately, re-education of employees and adding new limitations on issuance of laptops will not protect providers or insurers against negligence, rogue employees who may download PHI on their own computers,

outright thieves within or without the organization, computer hacking and a host of other threats. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself. 

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

Note: The title and substance of this blog entry has been substantially amended in response to a helpful comment by an anonymous fellow blogger. I am grateful that others are reading our blog posts and have sufficient interest in the topic to comment. To assist readers, the highly appreciated comment is set forth in full as follows:

I read your blog post, "MISSING FROM THE PARADE OF LARGE PHI SECURITY BREACHES - REASONABLY PROMPT POSTING BY THE SECRETARY OF HHS ON THE HHS WEBSITE," and wanted to let you know:

You've been looking at the wrong url. The HHS breach list has been updated frequently since June, but they moved the breach report url to here in July.

HHS never put a forward, redirect, or notice on the old url, and I've seen a number of sites, like yours, misled by the unannounced move and I've tried to let fellow bloggers know.

When you go to the new page, note that there are also csv and xml formats. Those files may, in some cases, be a bit more current than the list you see when you go to the web site.

Hope this helps.

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), relating to public disclosure of security breaches of Protected Health Information (“PHI”), has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated healthcare providers and insurers (generally, “covered entities”). 

The HITECH Act requires covered entities to notify, among others,  Kathleen Sibelius, Secretary (the “Secretary”), of the U.S. Department of Health and Human Services (“HHS”), respecting a PHI breach involving 500 or more individuals. The notification to the Secretary is to be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of PHI. . . .” 

What is supposed to happen, however, when the Secretary receives the report of a PHI breach involving 500 or more individuals? The Website “HIPAA Survival Guide” quotes Section 13402(e)(4) of HITECH as follows:

(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach . . . in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Unfortunately, the original URL address (the “Old URL”) for the HHS list relative to breach notification (the "List") was changed by HHS with no apparent notice in July 2010 and has not been updated since that time. From late June 2010 until the original posting of this blog entry, I was visiting the Old URL on at least a weekly basis on the assumption that HHS had simply not been updating the List on a timely basis. 

A fellow blogger advised me that HHS changed the Old URL to a new URL (the “New URL”) but never put a forward, redirect or notice on the Old URL as to the change. It would seem reasonable and relatively easy for the Secretary at a minimum to do one or more of the following to assist those who may mistakenly visit the obsolete Old URL:

(1) keep the Old URL, while prominently placing on the old URL information about the change to the New URL;

(2) close the Old URL and automatically redirect visitors to the New URL; and/or

(3) issue a press release or notice about the change from the Old URL to the New URL and post it prominently on the general HHS Website.

It is not too late for the Secretary to correct any further misunderstandings by appropriate action. If HHS is serious about encouranging compliance by covered entities, HHS should lead by example and act reasonably with respect to its own statutorily-mandated HITECH responsibilities.

• Print
• Comments
• Trackbacks
• Share Link