HIPAA security gaffe puts PHI on Google

Google users may have come across the protected health information of nearly 33,000 individuals over the last two months, after a health system's security gaffe left patient data exposed online.
 
The three-hospital Cottage Health System in Santa Barbara, Calif., notified 32,755 of its patients Wednesday that their personal health information may have been available on Google. 
 
Third party vendor inSync, an IT services and solutions company based in California, removed electronic security protections for one of its services, unbeknownst to the health system, according to a CHS letter mailed to patients. 
 
[See also: Ready or not: HIPAA gets tougher today.]
 
The lack of security protections resulted in the exposure of a file containing PHI on the server. PHI was left unsecured and exposed for nearly two months. 
 
Patient names, dates of birth, medical diagnoses, lab results and procedures, medical record numbers, account numbers and addresses were all contained on the unsecured server, officials say. No financial data was involved. 
 
CHS said they requested that Google remove the file from its systems. 
 
"CHS takes its obligation to protect your personal health information very seriously and apologizes for any inconvenience this may cause you," wrote Steven A. Fellow, executive vice president, chief operating officer and chief compliance officer of CHS, in a letter to patients. "We want to also assure you we have taken steps to prevent this type of event from happening again, including reviewing service relationships with third party vendors, expanding and increasing the frequency of internal and external security checks, and enhancing our 'change notification system.'"
 
[See also: Stanford reports fifth big HIPAA breach.]
 
Just this July, following an investigation, the Office for Civil Rights, the division of HHS responsible for investigating HIPAA violations, ordered managed care behemoth WellPoint to hand over $1.7 million after leaving the PHI of 612,402 individuals accessible over the Internet. The data compromised included patient names, dates of birth, Social Security numbers, telephone numbers and health information.
 
WellPoint established no safeguards verifying the person or entity seeking access to the electronic protected health information, and it failed to perform technical evaluation following an IT system software upgrade, according to OCR officials. 
 
Since 2009, when the HIPAA privacy and security breach notification rules went into effect requiring HIPAA-covered entities notify HHS for breaches involving more than 500 individuals, some 27 million individuals have had their protected health information compromised.