Massachusetts Dermatology Clinic Settles for $150K over HIPAA Breach
The Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. The stolen thumb drive contained patient data and was not encrypted, meaning anyone in possession of the storage device has full access to the data it contained. The missing thumb drive has so far not been located. Although the HIPAA breach involved a relatively small number of patients, the OCR has fined the dermatology clinic $150,000 for violating HIPAA regulations and failing to ensure the PHI of its patients was properly secured. The OCR has also ordered the clinic to conduct a full risk analysis to identify any remaining privacy and security issues and to develop a risk management plan to deal with any future security breaches. The investigation conducted by the OCR highlighted a number of HIPAA privacy and security problems which should have been identified and...
Cottage Health System BA Responsible for 32,500-Patient HIPAA Breach
A HIPAA breach which resulted in the Protected Health Information of 32,500 patients of the Cottage Health System being exposed has been attributed to an error made by one of the healthcare provider’s Business Associates (BA). A third party vendor, Insync, is alleged to have inadvertently removed some electronic security protections which resulted in the health data and personal information of Cottage Health patients being accessible via the search engines. The file containing PHI was accessible via Goggle for a period of 14 months. The server was made secure on Dec 2, 2013 as soon as the security breach was discovered, and a request was sent to Google to de-index the file. An investigation revealed the security protection was removed by Insync on Oct 8, 2012. The HIPAA breach was identified by Cottage Health after it received a voicemail message “informing it that a file containing personal health information of certain patients may be available on Google,” according to a letter sent by the healthcare provider’s attorney to California Attorney General, Kamala D. Harris. The...
Practical Guidance Issued to Ensure Healthcare Mobile Devices are HIPAA
The use of mobile devices has become commonplace in healthcare, with doctors now using mobile phones to communicate with members of care teams and send updates on the status of their patients. iPads and other tablets are also often used by doctors in hospitals when conducting their rounds and physicians and other healthcare professionals use laptop computers and Smartphones when visiting patients to provide homecare services. The rapid growth of portable devices in healthcare has undoubtedly improved the care that patients receive, yet the extensive use of mobile devices increases the risk of ePHI being accessed by unauthorized personal or being stolen by cybercriminals. Mobile devices are now a major problem area and many healthcare organizations are struggling to implement procedures and policies to ensure all their devices are made HIPAA compliant. Fortunately, healthcare organizations have been given some help in this regard, with both the Office for Civil Rights and the Office of the National Coordinator having provided guidelines and tips which healthcare professionals can...
HIPAA Breach: 11K Dental Patients’ PHI Uploaded to File Sharing Website
Lanap & Dental Implants of Pennsylvania has inadvertently violated the HIPAA Rules for dentists following the posting of approximately 11,000 dental records on a torrent site used for Peer-to-peer (P2P) file sharing. P2P file-sharing sites allow users to upload data, software and all manner of digital content and share this with a select group of individuals, or make the data available to anyone who visits the site. When “torrents” are created, they are listed on any number file file-sharing websites simultaneously. Anyone searching for specific files – or types of files – can download the files. Quite a large number of people appear to have done just that. The data is listed on at least 18 file-sharing websites, and to date it has been downloaded over 9,000 times from one website alone. That number could be similar on each of the other websites, or higher. 4-year Breach of PHI and Social Security Numbers A recent report on WNEP News revealed not only had this information been uploaded to the website, but the information had been available for four years. The data appeared to...
2014 Likely to See Surge in HIPAA Data Breaches
A new report released by the Experian credit bureau predicts that 2014 is likely to be a major year for data breaches, with a surge in numbers expected over the course of the year. The report also predicts the healthcare industry will be hit hard. The report says that the reason healthcare is so susceptible to attack is the sheer size of the industry. There is what the report calls an “expanded attack surface for breaches,” due to new EHRs and Health Insurance Exchanges (HIEs), while the value and volume of data held hakes healthcare providers attractive targets for cyber criminals. Experian offers credit monitoring services, but also assists customers to recover from data breaches. The company indicated that 46% of data breaches that it dealt with last year were from the healthcare industry. The report cites a number of reasons why data breaches are expected to rise, and indicates it is mainly due to the huge organizational infrastructure changes that are required under the Affordable Care Act, HIPAA, HITECH and other legislation together with general unpreparedness, a huge number...



