Lack of encryption brings breach blunder
Device encryption may seem like a fairly straight forward undertaking, but it's proven one which HIPAA-covered entities and business associates frequently forgo -- much to their chagrin down the road when they're notifying individuals of a privacy breach involving unencrypted personal data.
Legal Aid Society of San Mateo, Calif. is now seeing this firsthand. The public interest law firm recently notified 3,200 clients that their protected health information was compromised after 10 unencrypted laptops containing clients' Social Security numbers, medical data, names and dates of birth were reported stolen.
"We are sorry that this incident occurred and want to assure you we are carefully reviewing our procedures and practices to minimize the risk of recurrence," wrote LASSM Executive Director M. Stacey Hawver, in an Oct. 10 letter mailed out to affected clients.
When asked what the group's encryption plans were going forward, Legal Aid Society of San Mateo did not respond before publication time.
Leon Rodriguez, director of the Office for Civil Rights -- the HHS subagency responsible for investigating HIPAA privacy and security violations -- has said on numerous occasions this year that forgoing encryption is simply imprudent.
[See also: Ready or not: HIPAA gets tougher today.]
Most recently, Hospice of North Idaho learned this lesson the hard way. In the first HIPAA breach settlement case involving fewer than 500 patients, the group agreed to pay HHS $50,000 to settle potential HIPAA violations back in January over an unencrypted laptop and failing to conduct adequate risk analysis.
"Encryption is an easy method for making lost information unusable, unreadable and undecipherable," said Rodriguez when announcing the settlement back in January.
For smaller HIPAA-covered entities and business associates, encryption is seen as a considerable expense, but many say it's worth the cost, especially when taking into account post-breach legal fees, investigation costs and fraud protection often provided to affected patients.
Jeffrey Brown, chief information officer of the 178-bed Lawrence General Hospital in Massachusetts, said his hospital has never experienced a HIPAA breach -- and it's not just luck. It's because it has taken an aggressive approach to addressing privacy and security issues.
"Privacy and security and compliance are something that is at the top of our priority list,” Brown told Healthcare IT News last month. All devices there are encrypted, and the hospital has an anti-BYOD policy. They provide laptops and cellphones to the relevant clinical staff.
This "triad of people, process and technology," not only "puts the consumer in a better place to be protected but also the organization," said Brown.
Recent entities that have forgone encryption and subsequently reported privacy and security breaches this year include Advocate Health Care, which in August reported the second largest HIPAA privacy breach to date after four unencrypted laptops were stolen from its facility, compromising the protected health information of more than 4 million people.
The healthcare system has since been slapped with a class action lawsuit by affected patients.
This June, Stanford University announced its fifth big HIPAA breach, which affected 13,00 patients at its Lucile Packard Children's Hospital. It was Stanford's fourth breach involving the theft of an unencrypted device.
Back in March, Oregon Health & Science University reported its third big breach involving unencrypted data after the data of 4,000 patients was compromised following the theft of an unencrypted laptop.
OCR has received some 80,000 HIPAA privacy and security violation cases since 2003.