Clinic Reports Security Incident Involving HIE AccessVendor Inappropriately Accessed Information on About 4,000 Patients
A recent incident involving a vendor using a Boston clinic employee's credentials to inappropriately access patient data via a regional health information exchange illustrates the potential risks involved as the use of HIEs continues to grow.
Codman Square Health Center, a community outpatient clinic serving the Dorchester neighborhood of Boston, reported on Sept. 12 to the U.S. Department of Health and Human Services an unauthorized access/disclosure breach.
The incident is listed on the HHS "wall of shame" website of health data breaches affecting 500 or more individuals as an incident involving a desktop computer, with no business associate present.
A breach notice issued by Codman Square on its website, however, notes that the incident involved inappropriate access to patient information via the New England Healthcare Exchange Network, or NEHEN, one of the nation's longest-running regional HIE organizations.
Clinic Reveals Details
In a statement provided to Information Security Media Group, the clinic explains the security incident: "Codman became aware that an unauthorized person employed by an outside vendor obtained access to the New England Healthcare Exchange Network by improperly utilizing a Codman employee's access. We have presently determined that approximately 140 Codman patients' information was accessed as well as that of approximately 4,000 others in the network.
"We promptly suspended or terminated the employees who were involved, terminated their access to NEHEN, and retrained all of our employees to protect against this happening in the future. Our investigation is continuing."
The protected health information that was accessible via the HIE, Codman notes in its statement, includes "information about payment for medical services - name, address, date of birth, gender, medical services payer information and medical insurance coverage information. For some individuals, Social Security numbers were also accessible. While the investigation determined that the accounts were accessed, there is no current evidence that the information was misused or further disclosed."
The clinic says individuals affected will be offered free fraud resolution services and credit monitoring for 12 months.
A Large HIE
NEHEN says on its website that is has more than 50 member organizations participating in health information exchange via the network. Those members include large Boston-area integrated health delivery systems, including Beth Israel Deaconess Medical Center and Partners HealthCare, as well as insurance plans, such as Blue Cross Blue Shield of Massachusetts.
NEHEN primarily processes transactions related to insurance eligibility and does not maintain a centralized database of patient information, John Halamka, chairman of NEHEN and CIO of Beth Israel Health System, tells ISMG. NEHEN's website notes that the exchange's technology architecture is a distributed, peer-to-peer network.
NEHEN will examine audit trails to determine more details about the incident, he says. "Facts are murky still," he adds, and NEHEN will issue a statement about the incident later.
Sorting Out the Facts
It's unclear how many healthcare organizations that are members of NEHEN may have been affected by the incident and whether those entities will also need to notify individuals impacted.
"The issues involving an HIE are enormously complicated, and will heavily depend on the facts," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
When it comes to security incidents involving HIEs, "there are lots of tricky issues in terms of who has the obligation to do what, and I would expect there to be significant scrambling from the players to figure out how best to handle this kind of situation," Nahra says.
NEHEN is in a class of health information organizations, or HIOs, as defined by HIPAA says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. "HIOs are specifically called out by the HIPAA regulations as a 'business associate' when they are maintaining, creating, transmitting PHI belonging to a HIPAA covered entity," he says.
When a business associate, including an HIO, suffers an incident determined to be a reportable breach, the covered entity must be notified about "the facts and circumstances of what occurred and which individuals are affected by the incident," he says. "Ultimately, each covered entity is responsible for notifying individuals if there has been a breach at the hands of a business associate unless there is a written agreement in which the business associate takes on that responsibility."
HIE Security, Privacy Challenges
As regulators at HHS, including the Office of the National Coordinator for Health IT, encourage healthcare entities to share patient data with the goals of improving coordination of care and patient outcomes, participation in HIE organizations could continue to grow. But that participation brings risks, including inappropriate access by healthcare insiders and others.
"Insiders are a particularly unusual threat because these are individuals who have authorized access to the information, which makes it particularly challenging to identify [inappropriate access to records]," Valita Fredland, privacy officer of the Indiana Health Information Exchange, said in a recent interview with ISMG.
Entities with sensitive information can take steps to mitigate the risks presented by insiders, she notes. "But much like hackers, however, insider threats may not be 100 percent preventable. It is important for organizations like healthcare providers and health information exchanges to have in place methods to detect insider threats, such as having anomaly-detectors on the back end - automated systems plugged into the databases which can look for and flag unusual access by users to the databases."
Every organization participating in an HIE has a responsibility to keep patient data that's shared private and secure, says Holtzman of CynergisTek. "HIEs must have strong monitoring and audit controls in place to detect and prevent unauthorized access to the PHI they hold," he says.
"Each participant in the HIE must do their part to provide training and awareness to their employees on appropriate access to patient records maintained by the HIE. And organizations participating in the HIE must carefully monitor the activities of their workforce members as well as ensure that access is granted only to those workforce members who need access to the records of other healthcare providers through the HIE."