Postal Workers Union Files Charges over Post Office HIPAA Data Breach
Earlier this year the U.S Postal Service was targeted by cybercriminals who gained access to a database containing the confidential data of past and present post office workers, including social security numbers, names, addresses and telephone numbers. The HIPAA breach also affected a limited number of customers; those who contacted the postal service between Jan. 1 and Aug. 16, although no customer data was limited to telephone numbers, names and email addresses. The USPS started planning increased security measures after it was notified by the FBI about the breach, although action to protect the data was delayed according to the Washington Post, with measures to tackle the security issues only implemented in early November this year. In addition to facing potential fines from the OCR for the HIPAA breach, the USPS is now under the scrutiny of the American Postal Workers Union which filed for unfair labor practices last month following on from the breach and how the USPS responded. The charges were filed with the National Labor Relations Board with the Union believing that it...
Beth Israel Fined $100,000 for HIPAA Data Breach
A laptop computer was stolen from Beth Israel Deaconess Medical Center in May 2012. It was not being transported and was not left unattended in a car. The theft occurred inside the hospital with the laptop stolen from a physician’s desk. Data stored on the laptop included Protected Health Information of close to 4,000 patients and employees, including Social Security numbers, addresses, telephone numbers and other personal identifiable information. In total, 3,796 patients and employees of Beth Israel had confidential data exposed and potentially exposed to criminals. Beth Israel Deaconess Medical Center has now agreed to settle a complaint and pay $100,000 after the Massachusetts attorney general’s office alleged that the laptop theft could have been prevented had proper security measures been in place. There were two area of concern: General security at the hospital which facilitated the theft of the device and a failure to use data encryption to protect the PHI of patients. The Attorney General’s office claimed that the data security failures at Beth Israel broke the law and lax...
Extended Data Breach Notification Deadline for California Healthcare Providers
A recent change to the California legislation will extend the time limit for issuing data breach notifications, with certain healthcare providers being allowed up to 15 days to issue notifications to affected persons under Assembly Bill 1755. The current deadline is 5 days. Under AB1755, healthcare providers covered by California Health and Safety Code Section 1280.15 must issue a notice of a breach of medical data to the California Department of Public Health and any individual affected – or their representative. This change affects clinics, health care facilities, hospices and home health agencies. In addition to the 10-day extension to the notification deadline some additional flexibility has been introduced with AB1755 regarding the method of contacting any patient affected by a data breach. The law currently requires that the patient (or his/her representative) is notified by mail to their last known address. The change accommodates HIPAA regulations on confidential communications (45 CFR 164.522(b)) under which a covered healthcare provider may “accommodate reasonable...
Court Dismisses CMIA Claim for $4 Billion in Damages for HIPAA Breach
Under the California Confidentiality of Medical Information Act (CMIA), companies can be fined billions of dollars for breaches in security leading to the loss of patient medical data. A Californian health care organization has recently escaped a fine of $4 billion after it lost the medical records of over 4 million of its patients. The court case saw plaintiffs filing for $1,000 in damages for the loss of data that occurred when a hard drive containing the unencrypted patient database was stolen from a health care center. The company avoided paying damages because while the laptop – and the data – was clearly stolen; it was not possible to determine if the data had been viewed. Without proof that the data had been accessed by an unauthorized individual, it was not possible to determine on the balance of probabilities that an “injury” had been sustained for which the defendant could be held liable. Because statutory damages of $1,000 can be claimed under CMIA law, any data theft or loss often results in legal action being commenced on the grounds of professional negligence,...
Malware Potentially Exposes HIPAA Data at North Carolina Dermatology Clinic
Central Dermatology Center & Carolina Medi-Spa is the latest healthcare institution to experience a HIPAA breach as a result of malware. The malicious software was discovered on one of the central servers of its IT network on Sept 25, 2014 according to a statement issued by the facility. The notice, released on Friday, explained that as soon as the problem was discovered, an investigation was launched and forensic IT experts were enlisted to determine the nature of the malware and the data that it could have potentially compromised. The investigation determined that electronic health data had potentially been exposed by the malware, although there was no mention of the number of individuals that were believed to be affected. The data that has been compromised includes Social Security numbers, contact telephone numbers, addresses, dates of birth, age, sex and race information as well as hospital billing and diagnostic codes. The database also includes data such as health insurance policy numbers, provider details, co-payment information, treatment dates, employment details and...



