Massachusetts HIPAA Case Outlines Series of Missteps$230,000 in Penalties After Two Insider Breaches
A HIPAA-related enforcement case in Massachusetts involving two insider breaches alleges a trail of missteps, including failure to take prompt action after receiving tips about potential misuse of patient information.
See Also: HIPAA Audits: A Revised Game Plan
The Massachusetts attorney general's office on Sept. 20 announced it had smacked UMass Memorial Medical Group and UMass Memorial Medical Center with a total of $230,000 in financial penalties as part of a settlement for two separate breach cases affecting a total of 15,000 individuals. Both are part of UMass Memorial Health Care.
The cases each involved former employees who allegedly inappropriately accessed patient information, which was subsequently used in identity theft and fraud crimes, including for opening cell phone and credit card accounts.
The attorney general's office tells Information Security Media Group that one of the UMass Memorial Health Care employees was criminally charged in one of the breaches, but declined to discuss details.
Failure to Act?
In both breach cases, the AG's office alleges that the UMass Memorial entities failed to take certain actions, including when information came to light from tipsters about the employees' suspected inappropriate behaviors.
The breaches were finally reported to regulators in 2014, but the alleged improper activities by the two employees in the separate incidents potentially spanned back for several years, according the complaint filed by Massachusetts Attorney General Maura Healey's office in state superior court.
The complaint alleges that the UMass Memorial entities violated the Consumer Protection Act, the Massachusetts Data Security Law and HIPAA when they failed to properly protect patients' information. Compromised patient data included names, addresses, Social Security numbers, clinical and health insurance information.
The AG's lawsuit alleges that the UMass Memorial entities "knew of these employees' misconduct but failed to properly investigate complaints related to these breaches, discipline the employees involved in a timely manner, or take other steps to safeguard the information," the AG office's statement says.
Allegations of Fraud
In the breach involving UMass Memorial Medical Center, the employee - a patient care associate/unit secretary hired in 2002 - had access to patient's PHI both electronically and on paper as part of that job.
Two times during May 2011, informants notified UMass Memorial Security that the UMMMC employee allegedly was accessing patients' records for purposes of using the personal information to open fraudulent cell phone accounts and that copies of patient records were seen in employee's home, the AG's complaint says.
An investigation into the informants' allegations by the UMass Memorial privacy and security offices concluded that although the employee had previously accessed the patient records, that access was "job-related" and that there was no information to indicate that such access was inappropriate, the complaint says.
The offices "closed the first investigation without taking any further action, and took no steps to restrict the UMMMC employee's access to PII and PHI owned or licensed by UMass Memorial," the complaint notes.
Then from March to October 2013, "several individuals who had been UMMMC patients reported to their respective police departments in the Greater Worcester area the fraudulent use of their identities to open accounts for cell phone, digital cable, satellite television, and utility services without their authorization," the complaint says.
Police notified UMass Memorial security of these reports and identified the UMMMC employee as a suspect involved.
A second investigation by UMass Memorial's privacy office - including audits of electronic patient records - "ultimately determined that there was no breach," the complaint says.
UMass Memorial closed that second investigation "without taking any further action or taking steps to restrict the UMMMC employee's access" to patients' data, the complaint notes.
In the interim, the widow of one deceased UMass Memorial patient complained several times - including to a UMass Memorial physician and then to UMass Memorial Security - about identity theft attempts in her late husband's name, including the creation of new credit cards, cell phone, and internet accounts, according to the AG's complaint.
A Third Investigation
After that, a third investigation was launched by the UMass Memorial privacy office, resulting in UMass Memorial placing the UMMMC employee on paid investigatory leave and terminating the the worker's electronic access. The employee later resigned from UMass Memorial on April 2014.
During that investigation, UMass Memorial discovered that the employee had accessed the deceased patient's electronic medical record without authorization and connected the worker to an address used to open a fraudulent account in the deceased patient's name, the complaint notes.
Those findings resulted in UMass Memorial reopening its two earlier investigations related to the UMMMC employee and consolidating them into the third investigation, the AG's lawsuit says.
That consolidated investigation, which included an additional audit examination, found that the worker accessed the electronic or paper medical records of thousands of medical center patients, the complaint notes.
The second breach at the center of the AG's settlement involved a UMass Memorial Medical Group senior payment processor in the central business office. In this role, the employee processed payments and had access to patients' information.
UMass Memorial's privacy office received several calls related to allegations that an UMMMG employee had offered patient PHI and PII in documents as payment for a debt, the complaint notes.
The UMass Memorial privacy and security offices investigated, determining that the payment processor employee "had accessed, without authorization, a batch of invoice payments that contained both patients' personal information on January 24, 2014, using another employee's access credentials," the complaint notes.
The employee was put on an investigatory leave, but then resigned a week later on May 13, 2014. UMass Memorial, however, allegedly dropped the ball again during that time.
Despite the organization's disciplinary policy in effect at the time, UMass Memorial did not deactivate the employee's electronic access until two days after the employee's resignation and eight days after the employee's investigatory suspension, the AG's complaint notes.
"Given the nature of the UMass Memorial employee's job responsibilities, the UMass Memorial audit examinations revealed that the employee may have had access to thousands of potential UMMMC patients whose electronic medical records contained PII and PHI," the complaint notes.
Besides the financial payment, the settlement with UMass Memorial requires the organization to implement breach prevention measures, including:
- Conduct employee background checks and ensure proper employee discipline for policy violations;
- Train employees on the proper handling of patient information;
- Limit employee access to patient information;
- Identify and remediate potential data security issues;
- Promptly investigate suspected improper access to patient information.
In addition, the UMass Memorial entities are also required to hire an independent third-party firm to conduct a review of their data security policies and procedures, which the healthcare entities must report to the AG's office, the statement notes.
UMass Memorial Responds
UMass Memorial Health Care, in a statement provided to ISMG, says it regrets that these incidents occurred.
"In the four years since they took place, we have taken steps aimed at further strengthening our privacy and information security program. This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures."
Lessons to Learn
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the UMass Memorial cases offer lessons for other entities.
"Healthcare organization should consider the risks from insiders, including whether they have reasonable background check policies and whether these policies are being followed, whether they are limiting access to information that can be used for identity theft and proactively auditing access to such records, and whether they are sufficiently investigating any potential cases of misuse," he says.
"The last part is the most challenging, because you can only take action against an employee if you have sufficient evidence of misuse of information, and that evidence is often lacking."
Healthcare organizations also need to guard against the kind of missteps that the Massachusetts AG highlighted in the case against UMass Memorial, Greene says.
"Organizations should involve both compliance and HR to investigate, such as reviewing audit logs and interviewing both the suspected employee and co-workers," Greene says. "But entities are often stuck between a rock and a hard place, because if the employee gives a credible excuse for why he or she was accessing records, then the organization may have suspicions but insufficient evidence to proceed against the employee."
Separate HIPAA Sentencing
In a separate case in Massachusetts, the Department of Justice says that former gynecologist Rita Luthra, M.D., 67, was sentenced to one year of probation following her conviction in April of one count of violation HIPAA one count of obstruction of a criminal healthcare investigation.
That case centered on the doctor for several months in 2011 giving a salesperson from pharmaceutical company Warner Chilcott access to her patients' medical records in order to produce "prior authorizations" to persuade the individuals' insurers to provide coverage for prescription drugs (see Former Physician Convicted of Criminal HIPAA Violations).