The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this ever-lengthening parade on the HHS List of PHI breaches affecting 500 or more individuals (the List Breaches). Previous blog posts in this series including those discussed here and here discussed the volume of List Breaches that occurred in earlier periods.

It took nearly 3½ years between the inception of the HHS List on March 4, 2010 and August 13, 2013, to reach 646 postings, for an annualized average of approximately 189 postings per twelve-month period. In less than twelve months from August 13, 2013 to July 29, 2014, 239 more marchers have joined the parade on the HHS List.

A total of 430 or almost one-half (48.6%) of the total of 885 List Breaches reported the breach type to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 73 additional List Breaches that have reported the breach type as a “loss” of various types (excluding as a loss item any List Breach that also reported theft as a breach type) is added to the 430 theft events, the total for the two categories swells to approximately 503 or 56.8% of the 885 posted List Breaches. Combining the two categories appears to make some sense, as it is likely that a number of the List Breaches categorized as a “loss” event may have involved some criminal aspects.

Even more significant may be the fact that approximately 272 (30.7%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices (collectively, Portable Devices). Theft or loss of Portable Devices thus constituted 54.1% of the approximately 503 List Breaches that reported theft or loss as the breach type.

As has been emphasized in the past, it may have become more a question of when a covered entity (CE), business associate (BA) or subcontractor (SC) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in Portable Devices that can create, receive, maintain and transmit PHI requires CEs, BAs and SCs to perform adequate risk assessments and establish effective policies and procedures respecting employer-supplied and personally-owned Portable Devices.

It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA.  This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a “Large Breach”), CEs must notify the affected individuals, the Secretary of the U.S. Department of Health and Human Services (“HHS”) and perhaps media outlets without unreasonable delay and in no case later than 60 days following a Large Breach. In turn, HHS posts each of such Large Breaches on its Web site list (the “HHS List”).

On September 11, 2013, the HHS List posted a Large Breach relating to Minne-Tohe Health Center/Elbowoods Memorial Health Center (collectively, the “Center”) that occurred on October 1, 2011 (the “2011 Breach”), almost two full years before the posting on the HHS List. The HHS List reveals that 10,000 individuals were reportedly affected by the 2011 Breach, which was reflected as attributable to “Improper Disposal, Unauthorized, Access/Disclosure” of a “Desktop Computer, Other.” There are several interesting aspects about the 2011 Breach.

First, the lapse of almost two years before the disclosure of the 2011 Breach represents one of the longest for a Large Breach on the HHS List that was attributable to an event which occurred on a single day.  There are numerous Large Breaches on the HHS List that were reported by CEs as having extended for years, such as the most recent item posted to the HHS List on September 26, 2013 for South Shore Physicians, PC,  which reflected a “Date of Breach” as running from 1/01/2006- 01/12/2012.

Second, while the circumstances surrounding the 2011 Breach are very unclear, one can speculate, based on limited facts available on the Internet, that there may be a credible explanation for the delay.  That being said, it is very difficult to locate descriptive information on the Internet regarding the 2011 Breach or the Minne-Tohe Health Center itself (“MTHC”).  There is no current Web site for MTHC.  While the Elbowoods Memorial Health Center (“Elbowoods”) has a Web site, recent and current information is limited, and there would appear to be no reference to the 2011 Breach.

What one can deduce from an October 27, 2011 press release (the “Press Release”) from North Dakota Governor Jack Dalrymple is that, at the time of the 2011 Breach, MTHC was the main medical facility for the Three Affiliated Tribes (consisting of the Mandan, Hidatsa and Arikara Nation) on the Fort Berthold Reservation, located west of New Town, ND.  According to the Press Release, MTHC served as the Reservation’s main clinic for more than 40 years.

The purpose of the Press Release, however, was primarily to celebrate the grand opening of Elbowoods in New Town, a $20 million clinic to provide expanded health care services to the Reservation.  The Press Release says, “The 43,000-square-foot facility, which opened October 17, [2011] replaces the existing Minne-Tohe Health Center located west of New Town.”

The foregoing information, limited as it may be, appears to provide a possible  explanation for the long delay in disclosure of the 2011 Breach.  At the reported time of the 2011 Breach, MTHC was in the process of winding down its 40 years of operations, and its personnel were transferring and transitioning the operations, including presumably the health records of MTHC, to Elbowoods.  The likely tumult of activity in early October 2011 at MTHC may have brought about a loss of contact with the PHI that was the subject of the 2011 Breach.

Other aspects relating to the 2011 Breach are unexplained by the lack of public information, such as whether affected individuals were duly notified, even two years later, as required by HIPAA.  Nonetheless, the 2011 Breach stands for the proposition that a CE that becomes a marcher in the Parade of Large Breaches may be well served by publishing sufficient information, including the reasons, if any, for a potential violation of HIPAA in addition to the Large Breach itself, e.g., undue delay in breach notification, as opposed to leaving meaningful questions unanswered.

Elizabeth Litten and Michael Kline write:

For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”).  If I’m a resident of Indiana and a client of FSSA, I may have received a surprise in the mail sometime between April 6th and late May or early June of this year.  I might have opened my FSSA mail to see detailed information about another FSSA client that could have included their name, address, case number, date of birth, gender, race, telephone number, email address, types of benefits received, monthly benefit amount, employer information, some financial information such as monthly income and expenses, bank balances and other assets, and certain medical information such as provider name, whether the client receives disability benefits and medical status or condition, and certain information about the client’s household members like name, gender and date of birth.

What did (or should) I do with all this PHI?  In an announcement made on July 1, 2013, the FSSA is telling its clients to return the accidentally mailed documents to the local FSSA office, or to shred them.  The FSSA provides detailed information as to how the breach occurred (a programming error made by its BA document management systems contractor, RCR Technology Corporation), and what steps can be taken by individuals whose information might have been breached to protect their credit.  But the FSSA is notably vague in providing details as to how recipients of other FSSA clients’ information should make sure that the information is not disclosed to others.  A client that has held on to the private information of another client since receiving it in April, May, or June might decide to take it to the local FSSA office in person (risking that it could be left on a bus or in a car or simply lost along the way), might send it to the wrong address, or might not think to put “Personal/Confidential” on the envelope or mark it in a way that would alert the person opening it to its private contents.  Possibly even worse, the client might simply dump it in the regular or recyclable trash (opened or even unopened in the belief that it is junk mail) where unknown persons can retrieve it.

This is the second reported large PHI security breach suffered by the FSSA as a covered entity (“CE”) at the hands of a BA.  The Department of Health and Human Services (“HHS”) list of large PHI security breaches reflects that the FSSA as the CE reported that, on November 9, 2010, its BA, the Southwestern Indiana Regional Council on Aging, had experienced the theft of a laptop computer containing unprotected PHI of 757 individuals.

Of course, programming mistakes and the many other human and technical errors that lead to breaches are and will continue to be, despite the parties’ best intentions, unavoidable.  Responding promptly, thoughtfully, and accurately to PHI breaches will be key in minimizing damage.  While the FSSA appears to have responded promptly, thoughtfully, and accurately, it is unclear when the FSSA first learned of the breach and its scope from its BA to report the breach to affected individuals and HHS within the maximum period of 60 days from discovery.  Finally, including more specific, practical instructions regarding what to do when someone else’s PHI shows up in your mail or lands in your hands could help avoid further breaches and would remind the public to treat PHI with particular care.

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As of January 1, 2013 (and as of today), there were 525 postings of List Breaches.

A previous blog post reported that, on February 24, 2012, HHS listed the 400th List Breach. As the first postings on the HHS List occurred on March 4, 2010, an average of about 200 postings of List Breaches were recorded in each of its first two years. However, in the 10-plus months between February 24, 2012 and January 1, 2013, 125 additional List Breaches were posted, which on an annualized twelve month period basis would translate into 150 List Breaches. It is not yet clear whether the lower volume of List Breaches since February 2012 is attributable to increased caution and better practices in protecting PHI on the part of covered entities (“CEs”) and business associates (“BAs”), greater use of encryption and other practices to protect PHI, slower postings of List Breaches by HHS, other factors or a combination thereof.

 

Of the total of 525 List Breaches posted through January 1, 2013, there were approximately 274 (52.2%) events shat attributed the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the 60 additional List Breaches listing the category of “loss” of all types is added to the 274 “theft” events, the total for the two categories swells to approximately 334 or 63.6% of the 525 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.

 

Even more revealing may be the fact that approximately 193 (36.8%) of the 525 List Breaches listed the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices.  Theft or loss of laptops or other portable electronic devices thus constituted 51.6% of the 334 List Breaches that involved reported theft or loss. 

 

Over the last 10 months since the number of List Breaches passed 400, it appears that the relative percentage of List Breaches attributable to theft and loss is trending mildly upward. Of the 125 additional reported List Breaches, approximately 86 or 68.8% listed theft or loss as the source of the PHI breach. The number of such 125 List Breaches that reported theft or loss of laptops or other portable electronic devices was 37 or 29.6%, a lower percentage than the 36.8% for all 525 List Breaches.  The sample sizes are relatively small, so that further following of these numbers is warranted.

 

My partner, William Maruca, Esq., recently posted a blog entry highlighting the fact that the first breach settlement announcement by HHS in 2013 (the “2013 Settlement”) involved a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It was the first fine by HHS for a PHI security breach that involved fewer than 500 individuals and, therefore, was below the threshold for a List Breach. 

 

While the parade of List Breaches continues to lengthen, the 2013 Settlement underscores the fact that there are many more PHI security breaches involving fewer than 500 individuals. The PHI security breaches that are not List Breaches are receiving increased scrutiny by HHS. As this blog series has emphasized in the past, it may become more a question of when a CE or BA will suffer a PHI security breach and how severe the breach will be, rather than if it will suffer a breach. All CEs and BAs must exercise vigilance and use recommended protection procedures to avoid all PHI security breaches, not just large List Breaches. The continuing proliferation of the use of portable electronic devices to receive, access and store PHI should be monitored, as it can be expected that this type of security breach will continue to expand.

This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.

The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.

The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital’s Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.  

The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.

A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.

The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.

Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.

On June 24, 2011 Steve Lohr reported in The New York Times that Google is ending its three year initiative into the world of online storing by consumers of personal health records.  Google Health had promoted this as a significant application of its “cloud computing” platform. 

A visit to the Google Health Web site reveals the following statement:

An Important Update about Google Health

Google Health will be discontinued as a service.

The product will continue service through January 1, 2012.
After this date, you will no longer be able to view, enter or edit data stored in Google Health. You will be able to download the data you stored in Google Health, in a number of useful formats, through January 1, 2013.

The Lohr article quotes a blog posting of Aaron Brown, senior product manager for Google Health, to which the Google Health Web site also directs readers. Mr. Brown states that the goal of Google was to “translate our successful consumer-centered approach from other domains to health care and have a real impact on the day-to-day health experiences of millions of our users.”  However, Mr. Brown admitted in his blog post, “Google Health is not having the broad impact we had hoped it would.”

 

Mr. Lohr points out, “Google is by no means the only company to abandon the field of consumer health records. Revolution Health, for example, retired its personal health record service last year, citing few users.”  He also quoted others who attributed the lack of users to a variety of causes, including heavy and continuous demands on the time of consumers to maintain current, accurate and complete online health records, loss of consumer appetite to other more appealing computer applications, the complexity of the health field, and greater success of online health records when providers or insurers are partnering in the process.

 

A significant reason for the lack of attraction to Google Health that was not mentioned in the Times article may be the reasonable uneasiness that consumers have about privacy and security of their personal health information (“PHI”). In April 2010, a posting was entered on our blog series entitled, “Does the Reported Massive Theft of Password Information at Google Undermine Confidence in the Privacy and Security of Google Health.” That posting addressed PHI privacy and security problems experienced by Google Health at that time. Specifically, according to a Times article by John Markoff, Google Health suffered a breach of the password system  that controlled access by millions of users worldwide to almost all of the company’s Web services, including email and business applications. 

 

Thus the conclusion of our April 2010 posting may have been another significant reason for the termination of the Google Health experiment in online personal health records:

 

If the reported security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google [Health Privacy] Policy may lead one to believe. . . . The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation. 

 

This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.

 

On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on volunteertv.com. In the article, Ms. Starke reported that UTMC had announced that 8,000 patients’ medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."

 

What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.

 

Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.

 

A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.

This blog has been following how requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light a continuing flow of breaches of PHI involving highly respected and sophisticated providers and insurers. 

The giant Henry Ford Health System (“Henry Ford” or the “health system”) in Michigan has joined the march. On November 19, 1010, Henry Ford posted on its Web site a “Required Substitute Notice (the “Notice”) under HIPAA/HITECH. The Notice discloses that the health system has notified and apologized to “affected patients” that their information related to prostate services received between 1997 and 2008 was affected by a breach of unsecured PHI.  Henry Ford reported that it learned on September 24, 2010, that  “an employee’s laptop computer storing the information was stolen from an unlocked urology medical office.” 

While no Social Security numbers, health insurance identification numbers or medical records were apparently stored on the stolen laptop, other elements of PHI were present on the laptop. To provide support for those affected by the PHI breach, as has been done by other providers and insurers, Henry Ford has responsibly offered a free year of identity monitoring, protection and remediation service to the potential victims. 

There are a number of interesting aspects of the Notice itself. The Notice states that “[u]nder federal law, health care organizations are required to notify patients within 60 days of a breach of unsecured health information.” As stated in an earlier posting on this blog, the time frame for providers and insurers to give notice to affected individuals and the U.S. Department of Health and Human Services (“HHS”) of a PHI security breach involving 500 or more individuals is “without unreasonable delay and in no case later than 60 days from discovery of a breach.”

If the PHI breach was discovered by Henry Ford on September 24, 2010, the sixtieth day would be November 23, 2010. Therefore, that part of the notification requirement was clearly satisfied. It is a factual matter, however, as to whether, under the circumstances, the notification by the health system on or about the 53rd day met the other standard that notice was provided “without unreasonable delay.”

Another aspect of the Notice was that it did not disclose the number of affected patients. A visit today to the HHS Web site that lists breaches of unsecured PHI affecting 500 or more individuals reveals that the Henry Ford security breach is not yet posted.  Since the required time frame for the health system to notify the HHS is the same as that for notifying affected patients, the HHS Web site should soon post such information.

 

Perhaps one of the most concerning aspects of the security breach is the report by Henry Ford that “[w]hile the laptop was password protected, the patient information stored on the computer could potentially be viewed on the computer.” Chief Privacy Officer of Henry Ford, Meredith Phillips, was quoted as saying that, to prevent future patient information breaches, “employees will be re-educated in the steps necessary to protect patient information stored on computers.” She also stated that  “the process will be improved for how employees obtain a laptop computer for work purposes.”

 

Henry Ford is taking reasonable measures to forestall another similar incident. Clearly, however, current technological security protection practices, such as passwords, even if followed as in the Henry Ford case, are not sufficient to avoid a security breach. Unfortunately, re-education of employees and adding new limitations on issuance of laptops will not protect providers or insurers against negligence, rogue employees who may download PHI on their own computers,

outright thieves within or without the organization, computer hacking and a host of other threats. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself. 

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.

Note: The title and substance of this blog entry has been substantially amended in response to a helpful comment by an anonymous fellow blogger. I am grateful that others are reading our blog posts and have sufficient interest in the topic to comment. To assist readers, the highly appreciated comment is set forth in full as follows:

I read your blog post, "MISSING FROM THE PARADE OF LARGE PHI SECURITY BREACHES – REASONABLY PROMPT POSTING BY THE SECRETARY OF HHS ON THE HHS WEBSITE," and wanted to let you know:

You’ve been looking at the wrong url. The HHS breach list has been updated frequently since June, but they moved the breach report url to here in July.

HHS never put a forward, redirect, or notice on the old url, and I’ve seen a number of sites, like yours, misled by the unannounced move and I’ve tried to let fellow bloggers know.

When you go to the new page, note that there are also csv and xml formats. Those files may, in some cases, be a bit more current than the list you see when you go to the web site.

Hope this helps.

The Breach Notification Rule in the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), relating to public disclosure of security breaches of Protected Health Information (“PHI”), has continuously been bringing to light new breaches of PHI involving highly respected and sophisticated healthcare providers and insurers (generally, “covered entities”). 

The HITECH Act requires covered entities to notify, among others,  Kathleen Sibelius, Secretary (the “Secretary”), of the U.S. Department of Health and Human Services (“HHS”), respecting a PHI breach involving 500 or more individuals. The notification to the Secretary is to be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of PHI. . . .” 

What is supposed to happen, however, when the Secretary receives the report of a PHI breach involving 500 or more individuals? The Website “HIPAA Survival Guide” quotes Section 13402(e)(4) of HITECH as follows:

(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach . . . in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Unfortunately, the original URL address (the “Old URL”) for the HHS list relative to breach notification (the "List") was changed by HHS with no apparent notice in July 2010 and has not been updated since that time. From late June 2010 until the original posting of this blog entry, I was visiting the Old URL on at least a weekly basis on the assumption that HHS had simply not been updating the List on a timely basis. 

A fellow blogger advised me that HHS changed the Old URL to a new URL (the “New URL”) but never put a forward, redirect or notice on the Old URL as to the change. It would seem reasonable and relatively easy for the Secretary at a minimum to do one or more of the following to assist those who may mistakenly visit the obsolete Old URL:

(1) keep the Old URL, while prominently placing on the old URL information about the change to the New URL;

(2) close the Old URL and automatically redirect visitors to the New URL; and/or

(3) issue a press release or notice about the change from the Old URL to the New URL and post it prominently on the general HHS Website.

It is not too late for the Secretary to correct any further misunderstandings by appropriate action. If HHS is serious about encouranging compliance by covered entities, HHS should lead by example and act reasonably with respect to its own statutorily-mandated HITECH responsibilities.