Encryption oversight brings breach misfortune to Missouri med group
A St. Louis suburb-based orthodontist office is notifying 10,000 patients that their protected health information and Social Security numbers have been compromised following the recent burglary of company computers and hardware.
Olson & White Orthodontics reported the burglary July 22. The computers contained patients' names, addresses, X-rays, clinical diagnoses, email addresses, Social Security numbers and credit scores. Patient notification letters were mailed Aug. 28.
"We deeply regret that this incident occurred," wrote Richard White, DDS, in the patient notification letters. "We are aware of how important the security of your personal information is."
The practice indicated they're implementing additional privacy and security measures including reviewing and extending encryption protocols, adding measures to prevent future burglaries and refining current privacy policies.
Daniel Nelson, partner at Armstrong Teasdale - the firm representing Olson and White - said the practice utilizes industry standard medical office devices that "generally included encryption;" however, following the burglary, the group discovered "potential vulnerabilities" with regards to encrypted data.
The group continues to work with consultants and software vendors to address those findings, Nelson says.
According to data from the Department of Health and Human Services, theft accounts for the lion's share (52 percent) of HIPAA data breaches, with unauthorized disclosure next at 20 percent.
If the devices or laptops are encrypted, which was not the case for Olson & White, a HIPAA-covered entity generally doesn't have to worry about a breach.
Jeffrey Brown, chief information officer at 178-bed Lawrence General Hospital in Massachusetts, can attest to this.
Lawrence General Hospital has never experienced a HIPAA breach - for good reason.
"I wouldn't say (we're) lucky," said Brown, in an interview with Healthcare IT News. "Privacy and security and compliance are something that is at the top of our priority list."
Hospital employees are not allowed to bring their own devices to use for clinical purposes; rather, the hospital provides cellphones and laptops to specific employees. All devices are password protected and updated with the latest encryption technology.
"I tend to think that privacy and security in the old days was kind of looked at as a one and done deal," added Brown. It was something that you did yearly or every two years. Risks and mitigations were presented to the organizations, and you kind of check the box. And I think now what's happen is it really is a program and a process that organizationally, and I think culturally, needs to become part of the fabric of what all healthcare entities need to practice."
With the HIPAA Omnibus Final Rule, subcontractors and business associates of HIPAA-covered entities are equally responsible for privacy and security breaches of protected health information.
Although only 16 out of some 80,000 privacy and security breach cases reported to the Office for Civil Rights since 2003 have resulted in hefty fines, OCR Director Leon Rodriguez said fines and enforcements for breaches have increased this year and will likely continue to do so. "I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable," he said in an August interview with Healthcare IT News.
OCR has collected more than $18 million from HIPAA violations and settlements.
Just this August, the agency announced a $1.2 million settlement with the New York-based Affinity Health Plan after the company failed to erase the protected health information of more than 344,000 patients that was contained in leased photocopiers.