Kentucky E-mail Hack Highlights Importance of HIPAA Compliance
A healthcare provider in Kentucky has notified 2,500 patients that a hacker had gained access to an email account which contained some Protected Health Information and personal identifiers, and that their data could potentially have been viewed by that individual. The incident occurred when an employee of Cabinet for Health and Family Services responded to a phishing email he had been sent by a hacker and his response allowed the hacker to gain access to his email account. Controls were in place to identify any suspicious email activity which allowed the breach to be identified quickly. Within 30 minutes of access being gained the account was closed, severely limiting the opportunity for health information to be viewed. The breach was investigated by Cabinet for Health and Family Services which determined that the motivation for the hack was to gain access to government servers to send spam emails, and was not a targeted attack to gain access to Protected Health Information. The healthcare provider believes Protected Health Information and personally identifiable information has...
Data Loss and HIPAA Breaches Biggest Fear of Health Professionals
A new report released by CDW indicates the biggest fear of healthcare IT professionals is data loss, and in the case of healthcare, the accompanying HIPAA violation penalty. It is not only the health industry that worries about data loss. The survey suggest the same fear is shared by IT professionals in all industries. Healthcare, business, finance and higher education sectors had over 50% of respondents listing data loss as their biggest concern. For healthcare providers the data includes Protected Health Information and Social Security numbers, the consequences of loss of that data can be very severe. Malicious attacks were rated as the biggest fear by 18% of respondents, 14% said evolved forms of current threats were the biggest worry and 13% believed social engineering would be the main problem. Bots and mobile threats were rated at 9% and 8% respectively, and 6% had no idea where the main threat was coming from. Perhaps that is the most worrying statistic of all. 50% of respondents believed customer, student, employee and patient records would be the most likely data to be...
Texas Women Pleads Guilty to HIPAA Violations
U.S. Attorney John M. Bales has announced that Joneshia Cranford, a 33-year-old resident of Lufkin in the Eastern District of Texas, has pleaded guilty to violations of the Health Insurance Portability and Accountability Act of 1996. Cranford was accused of inappropriately accessing the Protected Health Information of patients at the healthcare facility where she worked and disclosing that information for financial reward, with the woman pleading guilty to the wrongful disclosure of individually identifiable health information. The two individuals to whom the information was disclosed – Shavator Albro, 35, and Francis “Frank” Ibiok, 28 from Houston – have both pleaded guilty to healthcare and identity fraud charges. The willful disclosure of individually identifiable health information carries a maximum jail sentence of 10 years, while the use of that information to commit Medicare, Medicaid or Insurance fraud carries a maximum penalty of 15 years imprisonment. A sentencing date for the offenses has yet to be set. HIPAA is policed by the Office of Civil Rights of...
HIPAA Audit Protocol Published by Office for Civil Rights
The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 updated HIPAA, and as such it required the Department of Health & Human Services’ Office for Civil Rights (OCR) to conduct a program of compliance audits to ensure the new rules had been applied. Following a series of 20 preliminary pilot audits the OCR has devised an HIPAA compliance audit protocol which will be used to assess compliance at a total of 155 HIPAA-covered entities, with the audits concluding in December 2012. Since any entity can be audited – not just large healthcare providers – it is important that all organizations check their procedures and revised them as appropriate to take the new Security Rule requirements into account. The OCR has now published the long awaited details of the audit program on its website detailing the specific aspects of HIPAA, the Privacy Rule, Security Rule and Breach Notification Rules that will be assessed. OCR Pilot Audit Protocol 2012 There are three main aspects of the legislation which are being specifically tested...
Alaska DHSS Reaches $1.7M Settlement with OCR for HIPAA Security Rule Violations
The theft of a portable hard drive from an employee of the Alaska Department of Health and Social Services (DHSS) potentially exposed the ePHI of an estimated 2,000 individuals. Following an investigation by the HHS Office for Civil Rights (OCR), a settlement has been reached and the DHHS must pay the HHS $1.7 million for the HIPAA Security Rule violations. The U.S. Department of Health and Human Services’ Office for Civil Rights was alerted to the breach when the Alaska DHSS reported the hard drive theft. All healthcare organizations must submit a report of data security breaches affecting more than 500 individuals to the HHS Secretary Sebelius under Health Information Technology for Economic and Clinical Health (HITECH) regulations (Smaller breaches need only to be reported annually). A media announcement must also be made to alert potential victims and Breach Notification Rules require all individuals to be contacted and advised of the security breach to allow them to take action to protect their identities and finances. The investigation unearthed a number of non-compliance...



