2,200 Michigan Dental Patients Notified of PHI Breach
2,200 Blue Chip Dental patients have been notified that a backup system installed to safeguard patients’ protected health information (PHI) has played a part in its exposure.
The Social Security numbers, medical insurance information, names, and addresses of patients have potentially been compromised as a result of the loss of a portable storage device used to store data backups.
Late last year, Blue Chip Dental implemented a backup system to better protect patient data. The backup system was installed “to store our digital information offsite in case of fire or other disaster to our building,” according to the substitute breach notice placed on the company website. The backup system was part of a $25,000 digital security overhaul.
On January 26, 2016, a portable storage device used for the backup system was discovered to have gone missing. No evidence has been uncovered to suggest data have been obtained or accessed inappropriately although the missing backup drive has now been declared lost.
Blue Chip Dental contacted the firm used to install the digital security system and was initially told that data stored on the drive was not at risk of being exposed. However, three weeks later Blue Chip Dental was informed that was not the case, and data on the drive could potentially be accessed. It is not clear from the breach notice whether the system included data encryption for backup files and an error had been made configuring the system, or whether the backup system did not encrypt data.
In response to the breach, Blue Chip Dental’s IT providers “have fixed the issue with the portable hard drives.” Higher levels of security have also been implemented to prevent future breaches of this nature from occurring.
This incident highlights just how important it is for HIPAA-covered entities to only deal with vendors that are able to confirm that their systems, or the systems they install, offer the necessary protections required by HIPAA. Vendors must also sign a business associate agreement (BAA) to this effect.
If a covered entity implements an IT system that they have assurances offers the required level of protection for ePHI and a compliant, signed BAA has been obtained, liability for a data breach may be avoided.
HIPAA Data Backup Requirements
The Health Insurance Portability and Accountability Act requires covered entities to develop policies and implement procedures to ensure PHI can be recovered in the event of a disaster. This means that retrievable, exact copies of PHI must exist. See 45 C.F.R. § 164.312(a)(2)(iv) and (e)(2)(ii). These copies should be stored off site or in the cloud. A disaster that destroys the original copy should not also destroy a backed up copy of PHI.
The off-site storage of data also introduces risks to the integrity, confidentiality, and availability of e-PHI. These must be assessed by covered entities.
Encryption is not mandatory under HIPAA – encryption is an addressable implementation specification – but if any data are to be stored offsite, either on a physical backup drive or in the cloud, covered entities must ensure that those data are safeguarded.
A risk analysis must be performed to determine whether data encryption is reasonable and appropriate under the circumstances. If the risk analysis determines that data are at risk of exposure, a covered entity must ensure that those data are encrypted or that an alternative and equivalent safeguard is implemented to ensure the confidentiality and integrity of ePHI. If data encryption is not implemented, the reason for not using encryption must be documented.
Covered entities must also ensure that if portable storage devices are used for backups, they are physically secured to ensure data cannot be accessed by unauthorized individuals. Storage facilities must contain controls to limit physical access to equipment used to store ePHI. Further information on physical safeguards can be found on this HHS link.