East Bay Perinatal Medical Associates Data Breach Announced
An East Bay Perinatal Medical Associates data breach has recently been announced, in which names and dates of birth of patients have been exposed. The healthcare provider is now sending notification letters to patients warning them of the privacy violation.
The healthcare provider became aware of the breach of personal information on June 2, 2015. The data breach was not uncovered by the hospital; instead it was brought to the attention of East Bay Perinatal Medical Associates (EBPMA) by the Berkeley Police Department as a result of a totally unrelated investigation. 1,494 individuals have been affected according to the HHS breach report.
Berkeley Police Discover East Bay Perinatal Medical Associates Data Breach
Law enforcement discovered a list of patient names stored on a laptop computer used by an employee of the hospital. An investigating officer alerted the healthcare provider to the potential breach of personal information and the laptop computer was retained by law enforcement. EBPMA’s Information Technology Security Consultant subsequently arranged for the data to be securely and permanently deleted. It would appear that the only disclosure of information was to law enforcement officers.
The list of names was not compiled with malicious intent. According to a statement released by EBPMA, “This list was created as part of the employee’s duties for cataloging our 2012 records.”
Did the East Bay Perinatal Medical Associates Data Breach Warrant Breach Notification Letters?
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities to issue breach notification letters to patients if their Protected Health Information is compromised. There are 18 identifiers covered by HIPAA, including patient names and dates of birth.
HIPAA states that a data breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” However, HIPAA-covered entities are permitted to make the decision about whether to issue breach notification letters to patients.
The HHS, says that breach notifications are not necessary if a covered entity establishes there is “a low probability that the protected health information has been compromised based on a risk assessment.”
Risk assessments must be conducted following a data breach to determine the exact data exposed; the likelihood of re-identification of an individual; the person or people who viewed the data; whether any disclosure of that data has taken place; and the extent to which risk has been mitigated.
In this case, the East Bay Perinatal Medical Associates data breach involved data being copied onto the laptop by an individual who was authorized to complete the task. However, the data was viewed by an unauthorized individual; a law enforcement officer. While the risk of that information being used or stolen is very low, the data was accidentally disclosed, therefore breach notification letters were necessary.
The penalty for not issuing breach notifications can be severe, and the Department of Health and Human Services’ Office for Civil Rights has already issued fines to organizations who have failed to issue breach notification letters. Fines of up to 1.5 million can potentially be issued by the OCR for breach notification failures.
Patients have now been notified of the breach of their personal information, and have been advised to obtain credit reports from the three credit agencies – Experian, Equifax, and TransUnion as a precaution.
According to the breach notice, “significantly, and fortunately, no Social Security numbers, financial information, contact nor medical information was listed.”
An Abundantly Cautious Breach Response
The breach was minor, although potentially it could have been worse. East Bay Perinatal Medical Associates has therefore taken the decision to re-train staff to prevent similar incidents from occurring in the future. “We have re-trained our employees on our patient security practices, and have specifically addressed the matter with the employee,” said an EBPMA spokesperson.
Even though the risk of inappropriate use of the data is believed to be low, credit monitoring services have been provided to patients for a period off one year. Under HIPAA rules, this additional protection was not required, and neither was it required by California state Laws.
California data breach law says: “If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information”
However, credit protection services are only required if “Social Security numbers, driver’s license numbers or California identification card numbers,” are compromised or exposed. The minimum term for credit protection services is 12 months under California laws.
This abundantly cautious breach response is commendable, as it was not required under state or federal laws; instead the services appear to have been offered solely to protect patients.