Amedisys Discovers Data Encryption Alone May Not Prevent A HIPAA PHI Breach

The Baton Rouge based home health and hospice provider, Amedisys Inc., has issued approximately 6,900 breach notification letters to patients alerting them to a potential disclosure of their Protected Health Information.

While most data breaches involving electronic Protected Health Information arise as a result of a failure to implement data encryption, this latest HIPAA breach occurred in spite of 256-bit data encryption being employed.

The data breach was discovered during an audit of IT equipment revealed that 142 desktop computers and laptops were missing. The company ascertained that the missing computers had been issued to members of staff, but had not been recalled when the individuals’ employment came to an end. While the data was encrypted, since the security keys fort the devices remained active, the protection put in place to protect PHI was rendered useless.

The PHI stored on the computer hardware included Social Security numbers together with patient names, addresses, dates of birth, insurance ID number, medical records and other unspecified personally identifiable information.

Computers were issued to members of staff, but between 2011 and 2014, but there were no apparent policies in place to ensure that the equipment was recalled, or if this was the case, that those policies had not been translated into procedures that were followed by the security staff.

In accordance with HIPAA Breach Notification Rules, letters were issued to all affected individuals, who have also been offered credit monitoring services to mitigate any damage caused. While the healthcare provider has no reason to believe that any information has been used inappropriately, this cannot be ruled out. The company issued a statement about the incident to reassure patients and advised them that “Amedisys has no indication of external hacking into its network and no evidence that any patients or former patients have suffered any actual harm.”

Under HIPAA regulations, covered entities are required to implement a number of administrative, technical and physical controls to protect PHI. Under the Security Rule, healthcare providers should keep an inventory of devices containing PHI and must also implement access controls to prevent unauthorized individuals from being able to access that data, which includes cancelling access when employees leave the employment of the covered entity.

Under the Workforce Security Standard’s Termination Procedures section, the termination of access rights is an Addressable area; however this should have been identified as a risk when the company conducted its Risk analysis, which is a required by all covered entities. The lack of action to recall these devices suggests that the company has not conducted a comprehensive risk analysis, or if it did, that it has not effectively managed that risk.

While the physicians in question had their network access blocked once they left employment, and could therefore not access any PHI through the healthcare providers network, since they were in possession of the security keys they would have been able to continue to access any PHI that was stored on the laptops and desktop computers which had been entered prior to their employment coming to an end. This is a violation of HIPAA and could potentially result in an OCR fine. It is clear that non-compliance with HIPAA was the cause of this violation, and preventable data breaches can carry a significant fine.

Fines for willful neglect are a minimum of $50,000 per violation, up to a maximum fine of $1.5 million per violation category, per year. The number of affected individuals is taken into consideration, as is the risk to the individuals concerned. Since this violation continued for 3 years, the OCR could conceivably issue a fine of up to 4.5 million for this violation, should it decide to investigate and take action.

Amedisys Inc., has since been in contact with Booz Allen Hamilton Inc., which it is employing for assistance updating its security and inventory practices, to ensure that further data breaches of this nature are prevented.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.