HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cedars-Sinai HIPAA Breach Worse than Feared

A member of staff at the Cedars-Sinai Medical Center in Los Angeles, CA, reported the theft of a laptop computer in a home burglary in June this year. That laptop was reported to contain the medical records of “at least 500” individuals; however a forensic analysis has now been conducted that has revealed that the number of affected individuals is actually 33,136.

The laptop was password-protected; however passwords can be cracked and they do not offer a sufficient level of protection to safeguard Protected Health Information. While HIPAA Rules do not demand that data must be encrypted – it is only an addressable area in the HIPAA Security Rule – Cedars-Sinai had decided to use data encryption software on all its portable devices.

Unfortunately, this particular laptop had recently had operating system updates performed and the encryption software had mistakenly not been reinstalled. As a result, under HIPAA Rules Cedars-Sinai was obliged to send breach notification letters to all affected individuals to advise them that their PHI may have been inappropriately accessed and that a risk remains of their data being used for fraudulent purposes.

Cedars-Sinai Issues Breach Notifications

Cedars-Sinai has now issued letters to all affected individuals and has apologized for the incident and reassured patients that it takes data security very seriously. The letter stated that the healthcare provider had “multiple security safeguards in place” and “even a potential data security incident on a single computer, as occurred here, is not acceptable to us.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to a statement released by the hospital, the incident was caused as a result of an employee being given access to laboratory test results, which he needed to work on outside of office hours. Authorization was provided for him to take the records home on the device. The data contained medical information, insurance policy details, driver’s license numbers, patient names and their dates of birth. Approximately 1,500 Social Security numbers were also present in the data set.

The hospital has advised patients that it is taking steps to ensure all of its laptop computers have data encryption installed to ensure that further security incidents such as this cannot occur in the future.

This year has seen a high volume of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, a high percentage of which have been caused by the loss or theft of laptop computers and other devices containing unencrypted PHI.

Data Encryption Prevents HIPAA Breaches

The use of data encryption would have prevented the disclosure of PHI in the majority of these security breaches. Data encryption is not an infallible system as security keys must be provided so that authorized personnel can access and view the data and if these keys are divulged the technology is rendered useless. However for portable devices, it is arguably the best protection against HIPAA breaches.

In 2012, the Office for Civil Rights settled with Blue Cross Blue Shield of Tennessee for $1.5 million following the theft of 57 computer hard drives containing unencrypted PHI. Concentra Health Services reported the theft of a laptop containing unencrypted PHI from its Springfield Missouri Physical Therapy Center and was ordered to pay $1,725,220 to settle potential violations.

Even Small HIPAA Breaches can Result in Substantial Fines

QCA Health Plan Inc., of Arkansas agreed to pay a $250,000 monetary settlement after a device was stolen from a car, and that laptop only contained the unencrypted records of 148 individuals.

In the case of QCA, it was not the data that was lost that resulted in such a large fine being issued, but what the OCR investigation into the incident revealed. The OCR discovered that between 2005 and 2012 QCA had committed repeated violations of HIPAA Privacy and Security Rules. There is always the possibility that even a sub-500 record breach could trigger an investigation that could potentially result in multimillion dollar fines.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.