Another State Announces a HIPAA Breach SettlementHospital Pays $75,000 Penalty in Case Involving Lost Unencrypted Devices
In the latest HIPAA enforcement action taken by a state, Massachusetts Attorney General Maura Healey's office has signed a $75,000 consent judgment with McLean Hospital, a psychiatric facility, for a breach that affected 1,500 individuals.
See Also: The 5 Foundational DevOps Practices
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
Among other recent HIPAA-related enforcement actions by states, the New Jersey attorney general's office on Dec. 10 announced a $100,000 settlement in a case involving health insurer EmblemHealth for a 2016 breach that exposed Social Security numbers on mailings to more than 81,000 plan members.
In March, that same EmblemHealth breach resulted in a $575,000 settlement with New York's attorney general's office involving the insurer's business associate, United Parcel Service Mailing Innovations.
"We are clearly seeing an uptick in state attorneys general filling a void through enforcement of the HIPAA rules."
—David Holtzman, CynergisTek
New Jersey's attorney general took action in another HIPAA case in April, smacking medical practice Virtua Medical Group with a $418,000 penalty for a 2016 breach. That was followed in November by a $200,000 settlement with the vendor involved in that incident, which did business as Best Medical Transcription.
State Activity Uptick
State AGs are finding that by bringing actions through their authority to enforce the HIPAA standards, and incorporating additional violations of state-enacted data security or consumer protection laws, they can pose substantial penalties that "get the attention of the public and other healthcare organizations," notes privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"We are clearly seeing an uptick in state attorneys general filling a void through enforcement of the HIPAA rules when the Department of Health and Human Services' Office for Civil Rights has been perceived as falling short of its mission to hold accountable organizations failing to effectively safeguard personally identifiable health information from unauthorized access."
McLean Hospital Settlement
In a statement about the settlement with Belmont-based McLean Hospital, Healey's office says the case centers on a former employee who failed to return four unencrypted backup computer tapes containing personal and health information of patients, employees and deceased donors of the Harvard Brain Tissue Resource Center.
The hospital violated HIPAA as well as the state Consumer Protection Law and the Massachusetts Data Security Law when it failed to properly protect patients' information, the AG's office says.
McLean Hospital is part of the Boston-based integrated health system Partners HealthCare, which has also been the subject of a handful of other HIPAA-related enforcement cases in recent years.
That includes a $1 million HIPAA settlement in 2011 citing Partners' Massachusetts General Hospital and its physicians for a 2009 breach case involving the loss of scheduling documents for 192 patients in the hospital's General Infectious Disease Associates outpatient practice, including those with HIV/AIDS.
Missing Back-Up Tapes
In the McLean Hospital case, the Massachusetts AG's office alleges that the facility allowed an employee to regularly take home eight unencrypted back-up tapes containing clinical and demographic information from the Harvard Brain Tissue Resource Center. The tapes contained personal information, such as names, Social Security numbers, diagnoses and family histories.
"When the employee was terminated from her position at McLean in May 2015, she only returned four of the tapes, and the hospital was unable to recover the others," the statement from Healey's office says.
The AG also claims several other failures by McLean to identify, assess and plan for security risks, including failing to properly train employees, report the loss of the tapes in a timely manner and encrypt portable devices containing personal information.
"Hospitals must take measures to protect the private information of their patients," Healey says. "This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve."
In a statement provided to Information Security Media Group, McLean Hospital says that since this incident, the hospital has "continued to enhance its privacy and security practices and procedures within the brain bank and throughout the research operation. The agreement with the attorney general represents a continuation of those efforts. "
Taking the Right Steps
"Organizations maintaining personally identifiable information must account for security threats created when employees are permitted or required to remove from the worksite devices or media on the data is stored," Holtzman says.
"If you have employees that are removing the data or working remotely, it's important to make a list of the level of information to which they have access."
Organizations should encrypt PII and PHI stored on any devices or media, he says. "Keep logs of the data that is stored on portable devices and removable media. Track the movement of devices and media on which PII is stored as well as conduct periodic audits to ensure that the data can be accounted for."
Yapstone Holdings Settlement
Healey's office also announced this week a $155,000 breach-related settlement with payments processing firm Yapstone Holdings Inc. That case stemmed from exposure via the internet of the personal information of consumers, including bank account and Social Security numbers, addresses, and driver's license numbers.
The AG says Yapstone violated Massachusetts data security regulations.
The AG's office began its investigation after Yapstone notified the office of the incident in 2015.
The investigation into the incident revealed that in July 2014, while modifying Yapstone's website, the company's engineers accidentally removed password protections from public-facing websites used to sign users up for Yapstone's service.
The mistake rendered the webpages publicly viewable to anyone on the internet for more than a year, the AG's statement says. The investigation found that Yapstone employees appeared to have been aware of the vulnerability in August 2014 but neglected to fix it until August 2015, when another employee discovered it.
In addition to the financial penalty, the settlement requires Yapstone to hire a CISO, train employees on data security and assess and update information security policies relating to changes to its systems and to external vulnerabilities.