HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AHMC Healthcare Omnibus Rule Violation Causes 729K HIPAA Breach

The HIPAA Omnibus Rule was introduced to improve standards of data security in the healthcare industry and under the new Rule organizations are required to implement a number of additional measures to safeguard the health data of patients.

While many organizations have updated procedures and policies to ensure compliance with the new Rule, AHMC Healthcare failed to take action in time to prevent a security breach. Had it have done so, the records of 729,000 patients would not have been exposed.

HIPAA regulations require all covered entities to implement the appropriate safeguards to ensure the Protected Health Information of patients is not placed in jeopardy. A risk analysis must be conducted and all potential security risks addressed and eliminated or reduced to a minimal level.

Laptop computers carry a particularly high risk of accidental; data exposure; they can store a considerable amount of data; they are portable and are used outside hospitals and clinics. Laptops are frequently stolen as they have a reasonably high monetary value, although thieves are now targeting doctors and healthcare organizations for the data laptops contain, which is far more valuable to thieves than the computer hardware. Any theft of a laptop containing unencrypted PHI is considered a HIPAA breach and potentially could result in a sizable fine so it is essential that any PHI contained on the device is encrypted.

Please see the HIPAA Journal Privacy Policy

AHMC Healthcare operates 6 hospitals in Alhambra, California and its facilities are gated and patrolled by security guards. However, on 12th October this year a transient walked into the compound and entered the offices, stole two laptop computers and walked off with the devices. The offices were covered by CCTV cameras, although the individual was able to leave the campus without being apprehended. The matter has been reported to the police but so far the laptops have not been recovered.

The laptops contained a considerable amount of data on patients who had visited AHMC healthcare facilities and the incident is one of the largest HIPAA breaches reported to data. The 729,000 individual affected by the breach have now been contacted to alert them to the laptop theft and they have been advised to take precautions to safeguard their identities and monitor their credit reports.

Patients were told their names, Medicare data, diagnoses, insurance and payment information was stored on the laptops and they received an apology for any inconvenience caused. AHMC Healthcare will now be implementing stricter security controls to prevent any further breaches from occurring, including bringing forward its plans to encrypt all data stored on mobile devices. The incident has been reported to the OCR and an investigation into the matter will be conducted.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.