Share this article on:
Lisa Madigan, the Illinois Attorney General, has filed a lawsuit against a Northbrook HIPAA Business Associate (BA) for failing to destroy medical records prior to disposal. The BA is alleged to have exposed the PHI of at least 1,500 individual patients.
The complaint says that the attorney general’s investigators found 1,500 medical records at Shred Spot. The company had received the medical records from Filefax Inc of 3405 Commercial Ave., Northbrook. According the suit, as reported by the Chicago Tribune, “an individual by the name of Halina Bysiek took 1,100 pounds of paper out of the container and brought it to another Sky Harbor business, seeking cash for recycled material.” The data was allegedly left in an “unlocked garbage container behind the building in the Sky Harbor business park.”
Paul Kaufmann, Owner of Shred It, identified the material as medical records and alerted his Trade Association – The National Association for Information Destruction. Following the advice he received, Kaufmann contacted the state attorney general’s office and an investigation was launched.
Filefax Inc. is a BA of HIPAA-covered healthcare provider, Suburban Lung Associates (SLA). In an earlier media release uploaded to the company website, the healthcare provider announced the HIPAA breach involved data including patient names, addresses, dates of birth, phone numbers, Social Security numbers and other protected health information (PHI) including medical diagnoses and details of treatments. SLA also said “We believe this is an isolated incident, only involving records of patients last seen in 2004.”
The incident occurred on or around February 6, 2015 with SLA learning of the security breach on February 11, 2015. The data breach notice – issued to the Department of Health and Human Services’ Office for Civil Rights (OCR) on April 13 – indicates 2,984 medical records were exposed. Breach notification letters have now been dispatched to all affected individuals and credit monitoring services have been offered.
Madigan said, “This company brazenly violated the law and jeopardized the personal information and privacy of thousands of Illinois residents.” The lawsuit cites the Illinois Consumer Fraud Act which permits a fine of up to $50,000 for each violation in addition to a further $10,000 if the victim in question is a senior citizen.
Other violations cited included the Consumer Fraud and Deceptive Business Practices Act and the Personal Information Protection Act, the latter carrying a $100 fine per record up to a maximum of $50,000.
Under HIPAA Rules, fines of between $100 and $25,000 can be issued per violation by state attorney generals for breaches of PHI as defined by the HIPAA Security Rule. However, OCR has the authority to issue fines up to $1.5 million per HIPAA violation category, per year that the violation was allowed to persist. OCR has previously taken action against HIPAA-covered entities for the failure to dispose of PHI securely and has agreed multi-million dollar settlements to resolve violations of the HIPAA Privacy Rule.
CVS Settles HIPAA Privacy Rule Violation Case with the HHS’ Office for Civil Rights
CVS is the largest pharmacy chain in the United States with more than 6,000 retail pharmacies. CVS was investigated by OCR in 2008 over alleged violations of the HIPAA Privacy Rule.
Several reports had been published in the media suggesting CVS had been violating the HIPAA Privacy Rule by disposing of patients’ PHI in regular industrial trash containers outside several of its pharmacies. Prior to disposal, HIPAA-covered entities must first render the PHI unreadable, undecipherable, and ensure it cannot otherwise be reconstructed.
The U.S. Federal Trade Commission also launched an investigation into CVS at the same time over violations of the FTC Act. This was the first occasion where OCR and the FTC joined forces and ran a joint investigation of a HIPAA covered entity.
While several issued were uncovered during the investigation, the main violations discovered were the failure to implement policies and procedures to safeguard the PHI of patients during disposal, and the failure to train employees how to dispose of PHI securely in accordance with the provisions of the HIPAA Privacy Rule.
On February 18, 2009, OCR announced CVS had agreed to settle the case for $2.25 million with no admission of liability.
In addition to ensuring PHI is disposed of in a secure manner in the future, CVS agreed to adopt a robust corrective action plan and will update its policies and procedures and train staff to ensure the privacy of patients is not violated in the future. CVS Caremark Corp., the parent company of CVS, also signed a consent order with the FTC to resolve violations of the FTC Act.
Additionally, CVS is required to undergo regular assessments by a qualified independent third-party to confirm the pharmacy chain is continuing to comply with HIPAA Rules. The reports must be submitted to OCR for 3 years, while the FTC requires monitoring of FTC Act compliance to continue for 20 years.