Breach discovered in random health system audit
In the world of HIPAA privacy and security breaches, 2013 was a big year, and the last days of December proved no exception.
The five-hospital Riverside Health System in southeast Virginia announced earlier this week that close to 1,000 of its patients are being notified of a privacy breach that continued for four years.
From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. Reportedly, the employee was a licensed practical nurse, according to a Daily Press account. The breach wasn't discovered until Nov. 1 following a random company audit.
[See also: Lost thumb drive leads to $150K fine.]
"Riverside would like to apologize for this incident," said Riverside Spokesperson Peter Glagola, in a Dec. 29 notice. "We are truly sorry this happened. We have a robust compliance program and ongoing monitoring in place, and that's how we were able to identify this breach. We are looking at ways to improve our monitoring program with more automatic flags to protect our patients."
The practical nurse who inappropriately accessed the records has had their employment terminated, according to Riverside officials.
HIPAA covered entities and, more recently, business associates can be slapped with up to $50,000 fines per HIPAA violation due to willful neglect that goes uncorrected. Entities could face $10,000 per violation due to willful neglect when the violation is properly addressed.
Just this past month, the Department of Health and Human Services settled with Adult & Pediatric Dermatology of Concord, Mass., for $150,000 over alleged violation of HIPAA privacy, security and breach notification rules.
According to an HHS press release, an unencrypted thumb drive containing the protected health information of 2,200 individuals was stolen from an employee's car. However, when HHS' Office for Civil Rights conducted an investigation, it was discovered the practice had failed to conduct adequate risk analyses and did not comply with breach notification requirements.
[See also: Ready or not: HIPAA gets tougher today.]
When Healthcare IT News spoke with OCR Director Leon Rodriguez back in August about where HIPAA-covered entities most often make their biggest misstep, he pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis," he said.
2013 also brought with it some of the biggest HIPAA privacy and security breaches to date. Advocate Health Care, for example, reported the second largest HIPAA breach, compromising the PHI of more than 4 million individuals after four unencrypted laptops were stolen from one of its facilities back in July.
Out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.