Share this article on:
Silverberg Surgical and Medical Group is alerting patients to the potential exposure of highly sensitive Protected Health Information after an error made in the configuration of a document scanner resulted in patient information being accessible via the internet.
The device had been used to scan documents containing personal information such as patient names, dates of birth, contact telephone numbers, home addresses, fax numbers, and e-mail addresses. Some patients’ Social Security numbers were exposed, as were medical record numbers, health plan ID numbers, beneficiary numbers, medical information, full face photographs and state license numbers: A Smorgasbord of data that could potentially be used by criminals to commit medical, insurance and identity fraud.
Silverberg discovered the security breach on August 28, 2015, and immediately launched an investigation. That investigation revealed the device had posted data online since September 10, 2013. The company has now secured the device and data and has enlisted the help of a specialist data security firm to conduct a forensic data analysis to determine whether data was accessed during that time frame.
The matter has also been reported to various law enforcement agencies, including the FBI, and government and state authorities have also been notified of the security breach. Affected individuals have now been notified by mail, and are being offered a year of credit monitoring services, along with identity theft protection and identity restoration services through Kroll.
A Risk Analysis is a Vital Element of HIPAA Data Security Rules
The data breach highlights the importance of conducting a full and thorough risk analysis to identify data security vulnerabilities. The risk analysis is one of the most important elements of the HIPAA Security Rule, as in order for all security vulnerabilities to be addressed, they must first be identified.
A risk analysis is not a one-time data security measure that must be performed to achieve HIPAA compliance. If any device or software system has potential to alter, record, transmit or touch PHI, it must be analyzed for security vulnerabilities regularly.
Checks must also take place after work has been conducted on medical devices to ensure that protections remain in place and data is adequately secured. A failure to conduct regular risk assessments is a violation of HIPAA Rules, and can potentially result in stiff financial penalties being issued by the Department of Health and Human Services’ Office for Civil Rights, state attorneys general and other government regulatory bodies.
The Silverberg Surgical and Medical Group data breach was discovered just a few weeks after the Department of Health and Human Services’ Office for Civil Rights fined Cancer Care Group, P.C for HIPAA Security Rule violations.
The announcement of the $750,000 fine came with a warning to all HIPAA-covered entities to ensure a risk analysis is conducted to address security vulnerabilities, and make sure all devices capable of storing or transmitting PHI are appropriately secured.