Aventura Hospital Suffers Third HIPAA Breach Exposing 82,601 Records
Aventura Hospital and Medical Center has discovered that the HIPAA breaches it suffered over the past two years were just the tip of the iceberg. It has just announced a third security breach which has affected up to 82,601 individuals. The healthcare provider has only recently identified the breach, although it started just one day after the last one was corrected.
Between Oct. 1, 2012 and Dec. 31, 2012, the data of 948 patients was exposed, with a second HIPAA breach occurring between January 1, 2012 and September 12, 2012, affecting 2,560 patients. The third breach started the following day, September 13, 2012, with access to the data continuing until June 9, 2014.
The latest HIPAA breach was caused by one of its business associates, Valesco Ventures. The company was alerted about an employee who could have inappropriately accessed patient data in May, although it was not until early June when it was confirmed that the employee in question improperly accessed patient names, dates of birth and Social Security numbers of up to of up to 82,601 individuals, according to a report on Local10.com
Terry Meadows, M.D, the manager of Valesco, confirmed that no financial information or medical data was exposed during the breach and “Valesco Ventures and Aventura Hospital are assisting law enforcement to identify and prosecute all responsible parties.”
Employee snooping and theft of data for personal gain can be difficult to identify and prevent, although healthcare providers are able to implement a number of policies and procedures to reduce the opportunity for employees to steal or inappropriately access data. They should also have the systems installed to rapidly identify individuals who do so.
Since the Omnibus Rule came into force, Business Associates can be held liable for any data breaches which have resulted from HIPAA violations they have caused, such as not having the appropriate technical, administrative and physical safeguards in place to protect HIPAA-covered data. The entity employing a Business Associate is also not exempt from financial penalties, should it is discovered that it too has violated HIPAA rules and has contributed to the cause of the breach.
The Office for Civil Rights has been policing HIPAA more rigorously in recent years and it has already issued a number of major fines for HIPAA violations that resulted in healthcare data, personal identifiers and Social Security numbers of patients being exposed. The OCR has the power to issue fines of up to 1.5 million per violation type, per year. In this case that could potentially see a fine of up to 3 million issued.
While such a large scale data exposure is highly worrying, so too is the time taken for Aventura and Valesco Ventures to stop the breach and notify the victims. The company first became aware of a potential HIPAA breach on May 28, 2014, when it was alerted to the fact that an employee “may have improperly accessed the personal identifying information of a number of patients of Aventura Hospital”.
It was not until three months later – Sept 9, 2014 – that the company issued breach notifications to the affected patients. Under HIPAA Breach Notification Rules, covered entities have up to 60 days to report HIPAA breaches to the OCR and notify the individuals who have been affected.
PHIprivacy.net reported on a legal notices statement it discovered, which had been issued to various media sources relating to the breach, as detailed below:
LEGAL NOTICES STATEMENT
Valesco Ventures, which provides hospital physician staffing and related services to patients in hospitals, was recently made aware of a situation involving the possible theft of personal patient information from Aventura Hospital and Medical Center. We are committed to the security of patient information, and we apologize for this incident.
On May 28, 2014, Valesco Ventures was notified that an employee may have improperly accessed the personal identifying information of a number of patients of Aventura Hospital and law enforcement was contacted. On June, 10, 2014, law enforcement concluded that this employee had improperly accessed this patient information.
This information included patient names, dates of birth, and social security numbers. No personal financial or health information was improperly accessed.
Shortly after law enforcement was notified, Valesco Ventures and Aventura Hospital suspended the individual’s computer and physical access to patient data, and began assessing how to mitigate risks to all patients. Valesco Ventures and Aventura Hospital continue to work with law enforcement to preserve the information that is important to their investigation. We have since determined that the inappropriate access occurred starting on September 13, 2012 and continued through June 9, 2014.
Valesco Ventures and Aventura Hospital are assisting law enforcement to identify and prosecute all responsible parties. Valesco Ventures and Aventura Hospital and Medical Center are committed to the proper handling and protection of patient information, and have been working to review our processes and systems to further ensure that personal information is protected in a secure manner.
If you were a patient at Aventura Hospital and Medical Center and your information has been identified as inappropriately accessed, you have or will receive a letter from Valesco Ventures to explain how best to protect your personal information. If you have questions or concerns about the letter you received or would like assistance to determine whether your personal information may have been compromised, please contact our representative at 1-866-979-2595.