HIPAA Breach or Not? When the OCR Must be Informed?
The Health Insurance Portability and Accountability Act lays down the procedures which must be followed after covered entities (CEs) discover that hackers have gained access to networks, laptops containing unencrypted PHI have been lost or stolen or members of staff have been found to have accessed patient health records without authorization. But how can you tell if your incident is a HIPAA breach or not? When the OCR must be informed of a Data Breach Not all data breaches are HIPAA breaches and not all HIPAA breaches involve data breaches. So, when should the OCR be informed and how should a data breach be classified? The Omnibus Rule made a number of amendments to terminology and definitions in HIPAA. The Breach Notification Rules were not amended, so the response to breaches remains the same as before, but additional elements were changed, most importantly relating to how a breach is reviewed. The change places a requirement on the CE to determine the level of risk that exists after a breach has occurred, and to conduct a thorough risk assessment to determine if PHI has...
300,000 Records Exposed in University of Maryland Security Breach
309,079 staff and students at the University of Maryland have been affected by a security breach that exposed Social Security numbers, names, dates of birth and university ID numbers. The victims are from the Shady Grove and College Park campuses, and their information was stored in an old database containing the records of people who had previously been issued with University identity cards. The records date back to 1998. Hackers were able to gain access to the database via a server, in spite of several layers of security being in place. They located the database and essentially “made a Xerox of it and took off” according to Brian Voss, the University of Maryland’s Vice President and Chief Information Officer. Once inside the network, the hackers were able to make a copy of the data, but what is concerning in this incident is the how the hackers past the several layers of security that U-Md had put in place. A recent data breach report in the Washington Post reported Voss as saying “what most concerns him is the sophistication of the attack.” He went on to say that the hacker or...
Brookings Report: HIPAA Hacks Up 1,800 Percent
A new report by the Brookings Institution predicts a wave of HIPAA data breaches in 2015 and claims that the healthcare industry is particularly vulnerable to attack and that there is a lack of consequences for healthcare providers that violate HIPAA Rules. The report suggests that if breaches are to be avoided, healthcare providers, health plans, clearinghouses, and business associates must invest more heavily in IT security and must be further incentivized to make changes to improve privacy and security standards. The Brookings Institution was founded in 1916 following the formation of the Institute for Government Research (IGR) and was the first organization devoted to analyzing public policy issues at the national level. The organization has produced numerous influential proposals for Congress, homeland security, and a number of intelligence operations and has helped shape debates and influenced national policies. The latest report focuses on data security in the healthcare industry, and the timing of its release couldn’t be more appropriate, in the week that followed the...
Central Texas Clinic Notifies 8,700 of HIPAA Breach
A central Texas clinic, Lone Star Circle of Care of Georgetown, has learned that a backup file containing the personal information of 8,700 individuals has been available through the community health center’s website for a period of six months, during which time it was accessed on a number of occasions by unknown individuals. The file was created on 31st July 2014; however the data breach was not discovered until 9th January 2015. The breach has been attributed to the actions of an individual employed by a company tasked with designing, maintaining and securing the website. That person had accidentally generated a backup file which was subsequently placed in an unsecured folder accessible to the public via the Lone Star website. No direct link to the file was posted online, although the file was accessible through the website search facility and could be downloaded in full by anyone able to locate it. The file was not secured with a username or password and at this stage is not clear how many individuals were able to download the data. LSCC has confirmed that no medical information...
Wearable Devices Carry High Risk of Causing HIPAA Violations
Advances in technology have allowed wearable devices to be developed to monitor health and fitness, and while these gadgets, monitors and sensors have potential to greatly improve healthcare, they also carry a high risk of a causing a HIPAA violation. Over the past 12 months the number of devices in use has grown at a tremendous rate. In 2013 the market for wearable devices was estimated to be worth $1.4 billion and by 2024, sales of wearable devices are expected to generate $70 billion per year. High Risk of Data Exposure Wearable devices include fitness bands, such as those developed by Fitbit, which record detailed data during exercise and everyday living. In 2011, users of the devices discovered just how much personal information was saved, stored and unfortunately for many, also shared with the online community. Some discovered their exercise data had been indexed by Google and was publicly available. Not only was data from jogging, cycling and running sessions recorded, but also much more personal information including other forms of “exercise”. This included kissing,...



