Technology Description

6 biggest HIPAA breach fines

Author: 
Slideshow Image: 
https://www.healthcareitnews.com/sites/hitn/files/shutterstock_139252880.jpg
Slideshow Title: 
5. $1.7 million - Alaska Department of Health and Human Services - June 2012
Slideshow Description: 

Individuals affected: 501 – An unencrypted USB hard drive containing patient information was stolen from a DHSS employee's car. After conducting an investigation, OCR officials discovered that DHSS had failed to complete a risk analysis, implement adequate security measures and neglected to have security training for its employees and address device encryption.

[Also: 10 stubborn cybersecurity myths, busted]

Slideshow Image: 
https://www.healthcareitnews.com/sites/hitn/files/3890620906_5feb08c2a6_o.jpg
Slideshow Title: 
5. $1.7 million - WellPoint - July 2013
Slideshow Description: 

Individuals affected: 612,402 – The protected health information, Social Security numbers and demographic data of patients were made accessible to unauthorized users over the Internet for a period of nearly five months. An OCR investigation determined WellPoint failed to perform an adequate technical evaluation in response to a software upgrade. The managed care company also neglected to implement user verification technology to the Web-based patient database. Photo: Plurimus, 2009

Slideshow Image: 
https://www.healthcareitnews.com/sites/hitn/files/concentra_urgent_care_in_tanasbourne_-_hillsboro_oregon.jpg
Slideshow Title: 
4. $1.73 million - Concentra Health Services - April 2014
Slideshow Description: 

Individuals affected: 870 – A Concentra unencrypted laptop was stolen in November 2011, and according to OCR officials, the healthcare company from 2008 to 2012 failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases. In 2008, almost 28 percent of Concentra laptops were not encrypted, and a complete inventory assessment to assess this did not occur until four years later. Photo: M.O. Stevens, via Wikimedia Commons

Slideshow Image: 
https://www.healthcareitnews.com/sites/hitn/files/6395985647_efcb299999_z_0.jpg
Slideshow Title: 
3. $2.25 million - CVS Pharmacy - January 2009
Slideshow Description: 

Individuals affected: NA – A 2007 OCR investigation, launched in response to media reports on the topic, found several CVS pharmacies were disposing of protected health information in public dumpsters. In collaboration with OCR, the Federal Trade Commission also launched an investigation into CVS. Officials determined the pharmacy chain did not have adequate policies and safeguards in place to protect patient data and dispose of it in the proper way. Photo: Ron Cogswell, 2011

Slideshow Image: 
https://www.healthcareitnews.com/sites/hitn/files/cignet.png
Slideshow Title: 
2. $4.3 million - Cignet Health Center - October 2010
Slideshow Description: 

Individuals affected: 41 – The Maryland-based health center from 2008 to 2009 denied 41 patient requests for their medical records, for which the medical group practice was fined $1.3 million. Moreover, during the investigation into Cignet allegations, the practice subsequently refused to respond to several of OCR's demands to produce the records and failed to cooperate with investigation requests, OCR officials said. For this, the practice was fined $3 million. Photo: Google, 2013

Slideshow Image: 
https://www.healthcareitnews.com/sites/hitn/files/0614-hitn-cov-privacy-new_york_presbyterian.jpg
Slideshow Title: 
1. $4.8 million - New York Presbyterian Hospital and Columbia University - May 2014
Slideshow Description: 

Individuals affected: 6,800 – An OCR investigation discovered the HIPAA breach transpired when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google. The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online. Photo: Paul VanDerWerf, 2014

Teaser: 

Since 2009, when the HIPAA breach notification requirement took effect, nearly 31.4 million people have had their protected health information compromised in privacy and security breaches.

Thumbnail: 
Money
Custom OAS pagetag: 
Primary Topic: 
Specific Terms: 
Disable Auto Tagging: 
Short Headline: 
6 biggest HIPAA breach fines

EHRs and ACOs

In January, I was asked to share my thoughts on Health Information Exchange at a joint hearing of the federal Health IT Policy Committee and HIT Standards Committee.