Sutherland Healthcare Solutions Suffers HIPAA Data Breach
Los Angeles County Department of Health Services has announced that the break-in and theft of computer equipment at the Torrance office of Sutherland Healthcare Solutions has resulted in as many as 168,500 patient records being exposed. The theft has been reported to the authorities and a criminal investigation has commenced, although the missing equipment has not been recovered to date. The patient information stored on the eight stolen computers is understood to include Social Security numbers and medical and billing information, in addition to patient names and contact information. Some protected medical records are also believed to have been stored on the computers which include past diagnoses. Sutherland Healthcare Solutions handles billing and collections for the Los Angeles County Department of Health Services and suffered the break-in on February 5, 2014; however it took two weeks to determine exactly how many patients were affected by the breach. Notification letters were sent out on 27th February to all individuals potentially at risk. Data privacy and security is treated...
Study Shows Healthcare IT Security is in a Shocking State
Two recent studies confirm that the healthcare industry has not invested sufficiently in IT and the general state of healthcare cybersecurity is dire. There has been a marked rise in reported data breaches in recent years and while the increase has been, in part, attributed to increased reporting of security breaches – as required by HIPAA and HITECH – there are two areas of healthcare IT security that must be immediately addressed; certainly if HIPAA violations and penalties are to be avoided. The first is training. Data breaches have many causes, although a substantial percentage result from carelessness. Doctors and nurses unaware of the rules covering the disclosure of PHI are also inadvertently causing HIPAA breaches. Hospital administrators are improperly disposing of paper records and failing to securely delete electronic health records. Physicians are still leaving laptops containing unencrypted PHI in plain sight in unattended vehicles. Tackling these issues will prevent the majority of data breaches reported to the OCR each year. The Future of Healthcare Data Security...
HIPAA Breach Report: December 2013
December 2013 HIPAA Breach Summary: The Breach Notification Rule of HIPAA places a requirement on covered entities and their Business Associates via their covered entity, to notify the Office for Civil Rights of the Department of Health and Human Services of data breaches affecting more than 500 individuals. The time limit for doing so is 60 days from discovery of the breach. This report contains a summary of the breaches which have been reported to the OCR during the month of December, 2013 Major HIPAA Breaches in December 2013 The total number of breach victims fell for the second month running, although major breaches were reported at the Methodist Dallas Medical Center (TX) where 44,000 patient records were potentially viewed or accessed as a result of the data being transmitted or stored on an insecure Internet-based email service. The L.A. Gay & Lesbian Center (CA) issued a notice to patients advising them that 59,000 had potentially been compromised in a hacking incident that potentially exposed credit card numbers, Social Security numbers and personal identifiers. The...
OCR to Commence Round 2 HIPAA Compliance Audits
The Office for Civil Rights of the Department of Health and Human Services is a step closer to commencing the second round of HIPAA compliance audits issuing a notice in the Federal Register announcing its intention to start a series 1,200 pre-audit surveys. The OCR is authorized to conduct compliance audits under Section 13411 of the HITECH Act and intends to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules. The notice states that the OCR intends to survey 800 healthcare providers, clearing houses and health plans in addition to 400 of their business associates as part of the next round of compliance audits. Since the introduction of the Omnibus Rule, Business Associates can be held liable for HIPAA non-compliance issues and data breaches and the OCR wants to ensure that the new legislation is being followed. OCR Deputy Director, Susan McAndrew, announced at the 2014 HIMSS Annual Conference on February 24 that the aim of the survey is to assess suitability for audit. Since the sample was taken at random, the OCR must first weed out organizations in its...
Pre-Audit HIPAA Compliance Survey Finalized by OCR
The Office for Civil Rights has set the wheels in motion for its upcoming HIPAA compliance auditing program by filing an information collection request in the Federal Register, which post-Omnibus Rule now includes Business Associates as well as entities previously covered by HIPAA. No schedule for the audits has been announced, nor was an announcement expected. The collection request is just the first step in the process and the audits are not expected to take place until the fall of this year. The request is to allow it to conduct a pre-screening survey which will permit it to contact up to 1,200 covered entities and Business Associates, in part to gain an understanding of each organization’s readiness for audit and also to “assess the size, complexity, and fitness of a respondent for an audit.” The information the OCR plans to collect relates to recent activities in relation to HIPAA regulations laid down by the Omnibus Rule and Privacy Rule in particular. It will require information to be provided on the use of electronic patient health records which are to be the major...



