Four-year EHR breach raises eyebrows

HIPAA privacy and security breaches
By Erin McCann
12:00 AM

In the world of HIPAA privacy and security breaches, 2013 was a big year, and the last days of December proved no exception. 

The five-hospital Riverside Health System in southeast Virginia announced late December that close to 1,000 of its patients were being notified of a privacy breach that continued for four years. 

From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The employee was reportedly a licensed practical nurse, according to a Daily Press account. Health system officials did not discover the breach until Nov. 1 following a random company audit.

“Riverside would like to apologize for this incident,” said Riverside spokesperson Peter Glagola, in a Dec. 29 notice. “We are truly sorry this happened. We have a robust compliance program and ongoing monitoring in place, and that’s how we were able to identify this breach. We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”

When attempting to notify all affected patients, health system officials said they were unable to locate current contact information for all patients, so some patients may still be unaware of the breach.

The health system terminated the employment of the practical nurse who inappropriately accessed the records, according to Riverside officials. 

UPMC late last year also reported a similar incident when they discovered an employee who was not involved in patient care had inappropriately accessed the medical records and Social Security numbers of some 1,300 patients.

“Fortunately, one of our employees who became aware of the inappropriate activity alerted hospital management in early November, and we were able to track and stop this improper behavior,” said UPMC vice president of privacy and information security,” in a Nov. 27 notice.

HIPAA covered entities and, more recently, business associates can be slapped with up to $50,000 fines per HIPAA violation due to willful neglect that goes uncorrected. Entities could face $10,000 per violation due to willful neglect when the violation is properly addressed. 

Just this past month, the Department of Health and Human Services settled with Adult & Pediatric Dermatology of Concord, Mass., for $150,000 over alleged violation of HIPAA privacy, security and breach notification rules. 

According to an HHS press release, an unencrypted thumb drive containing the protected health information of 2,200 individuals was stolen from an employee’s car. However, when HHS’ Office for Civil Rights conducted an investigation, it was discovered the practice had failed to conduct adequate risk analyses and did not comply with breach notification requirements. 

When Healthcare IT News spoke with OCR Director Leon Rodriguez back in August about where HIPAA-covered entities most often make their biggest misstep, he pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis,” he said.

The year 2013 also brought with it some of the biggest HIPAA privacy and security breaches to date. Advocate Health Care, for example, reported the second largest HIPAA breach, compromising the PHI of more than 4 million individuals after four unencrypted laptops were stolen from one of its facilities back in July.
Out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.