Many articles are circulating that slice and dice the data from the 2015 data breaches greater than 500 people impacted. The data comes from the infamous Department of Health and Human Services’ HIPAA “Wall of Shame.” The data being published puts a lot of emphasis on hacking and the impact that it has had on healthcare over the past year. There is no doubt, hacking did have a BIG impact on the data breaches of 2015; however, the data is slightly skewed due one data breach that impacted approximately 78 Million Individuals – The Anthem Data breach. In fact, three data breaches occurred due to hacking that skewed the image of what actually happened in 2015 with healthcare data breaches. A total of 113,208,516 individuals were impacted by 266 data breaches in healthcare in 2015. The Anthem data breach (78.8 Million individuals), the Excellus data breach (10 Million individuals), and the Premera Blue Cross (11 Million individuals) accounted for only 3 of the total data breaches but impacted 88% of total individuals whose data was breached. Definitely a significant happening in 2015; however, it is important to look at the data as a whole and understand there were outliers that significantly impacted what occurred in 2015 data breaches. Looking at the data in several different ways can help shed some light on other important aspects of data breaches impacting greater than 500 individuals in healthcare during the year of 2015. While hacking is a significant impact on the amount of people in 2015, the category of Hacking/IT Incidents only accounted for 57 (21%) of the 266 data breaches that were reported on the Department of Health and Human Services HIPAA “Wall of Shame.” Based on the number of data breaches impacting over 500 individuals, what did actually occur in 2015 besides the large Anthem data breach that skewed the view of the data breaches in 2015? Here are some facts that may help paint an actual picture of what occurred in 2015. • #1 Data Breach Type: Unauthorized Access/Disclosure – 38% of 2015 Data Breaches
• #1 Data Breach Location: Paper/Films – 27% of 2015 Data Breaches
• #1 Data Breach by Covered Entity Type: Healthcare Providers – 73% of 2015 Data Breaches
• Top Range of Number of Individuals Impacted: 1,000 – 9,999 Individuals Impacted – 53% of 2015 Data Breaches
Healthcare organizations need to understand it is not one area that is at risk for data breaches to occur. Each organization needs to spend time evaluating their organization and specifically the protected health information that they create, store, transmit or maintain to understand what risks that they have. Data breaches are being caused by a significant amount of reasons, and it is important to know that hacking/IT incidents is only one of those areas to focus on. Hacking/IT incidents definitely will impact a great amount of individuals as the hackers get access to a larger amount of data; however, a data breach caused by another issue such as an unauthorized disclosure causes just as much damage to an individual as someone hacking into a system and gaining information. Understanding the entire picture of what occurred in healthcare data breaches in 2015 will help organization prepare for proper protection of patient information. Moral of the Story – don’t just focus on one item when it comes to the protecting and safeguarding of patient information. Focus on privacy and security of healthcare data as a whole, it is the best defense against the unwanted data breach. Cheers! Danika Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Breaking Down a HIPAA Corrective Action Plan and Settlement: It’s Not All About the Money
The headlines over the last week highlighted that an Oncology Practice in Indiana, Cancer Care Group, P.C., received a $750,000 fine for HIPAA non-compliance by the Office for Civil Rights. After a laptop bag was stolen out of an employee’s car in 2012, the information of approximately 55,000 patients was breached, including names, addresses, date of birth, social security number, clinical information, and insurance information. The laptop didn’t have any safeguards such as encryption applied to it, creating risk for those 55,000 patients. In the settlement, the organization must pay a hefty $750,000 fine; HOWEVER, it is only part of the correction action settlement. The organization must do a lot more than just pay the fine – causing additional costs and time commitments to the organization. In addition, the corrective action plan is valid for 3 years from the effective date!!
Looking deeper into the corrective action plan (CAP) between Cancer Care Group and Department of Health and Human Services (HHS), they are also required to:
-
Conduct a HIPAA Risk Analysis within 90 days of the CAP effective date-
Submit the Risk Analysis Report for approval to the HHS -
If the Risk Analysis is not approved, Cancer Care Group will have 60 days to revise the Risk Analysis and submit to the HHS for approval
-
-
Implement an organization-wide risk management plan to address and mitigate any risks and vulnerability found during the risk analysis-
Within 90 days of approval of the Risk Analysis from HHS, Cancer Care Group must submit the Risk Management Plan to HHS for approval. -
If the Risk Management Plan is not approved, Cancer Care Group must update the Risk Management Plan and resubmit to HHS within 60 days. -
One approved, Cancer Care Group must begin the implementation of the Risk Management Plan.
-
-
Review and revise policies and procedures relating to the HIPAA Security Rule-
Based on the findings from the HIPAA Risk Analysis, Cancer Care Group must review and revise all policies and procedures relating the to the HIPAA Security Rule -
All policies and procedures must be forward to HHS within 60 days of the approval of the Risk Management Plan -
If policies and procedures are not approved by HHS, Cancer Care Group will have to revise and resubmit the policies and procedures within 30 days. -
Within 30 days of approval of the policies and procedures from HHS, Cancer Care Group must implement the new policies and procedures.
-
-
Review and revise security rule training program based on the risk analysis findings-
Revise and update the training program and submit for approval to HHS within 60 days of the approved Risk Analysis from HHS. -
Within 30 days of approved training program from HHS, administer the approved training program to all Cancer Care Group workforce.
-
-
Any reportable events (failure of workforce member to comply with policies and procedures, security incident, potential data breach, etc.) must be promptly investigated and reported to HHS within 30 days of the awareness of the incident.-
Notification must include: 1) a description of the event including relevant facts individuals involved and policies and procedure(s) impacted AND 2) description of actions taken and future actions planned
-
-
Provide HHS Annual Reports of the following for the CAP Timeframe (3 Years)-
Updates or changes to the approved Risk Analysis or Risk Management Plan -
Updates or changes to Cancer Care Group’s approved HIPAA policies and procedures -
Summary of all Reportable Privacy and Security Events -
Attestation by the appointed officer/owner at Cancer Care Group that he/she has appropriately reviewed the annual report to HHS and verification that the information is truthful and accurate.
-
In the event that you find your organization in the middle of a data breach that is being submitted to HHS, the proper steps should be taken to evaluate your current level of compliance. It is best to try and identify risks and vulnerabilities to your organization immediately rather than waiting for the HHS to come and mandate that you evaluate your compliance. From the above information, HHS doesn’t just ‘go away’ after the fine is appropriately paid. Being linked and connected to the HHS for 3 years post settlement is intense and challenging. Relying on approval from HHS of all aspects of the HIPAA Security Rule can overwhelming and stressful. Don’t find yourself in this situation.
Remember – your organization is the one responsible for compliance with the federal privacy and security requirements. With the verge of Phase 2 of the HIPAA Audits starting soon, now is the time to get out and evaluate. Waiting for the HHS to come in and tell you what to do, or worse, assess a fine is something that should be avoided!
Take time to evaluate your compliance, plan your mitigation strategies and take action for compliance!
Danika
Data Breach: It WILL NEVER Happen to Our Organization
You choose your path: Be Prepared OR Be Scared.
How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.” The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur. If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.
Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur. Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated.
Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.
- Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
- Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
- New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
- Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
- University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
- HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
- Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted
One piece of advice to all healthcare organizations and business associates: Be Prepared. Don’t follow the path of so many and think that a data breach will never occur within your organization.
If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization. Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring.
If additional help is needed, reaching out to experts in the industry is always a great idea. Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.
Be prepared, plan accordingly, and assure your breach investigation process is ready. You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations.
“If you are failing to plan, you are planning to fail.” – Tariq Siddique
Danika
HAPPY NEW YEAR – HIPAA Style!
2014 was an epic year for healthcare data breaches. From hacking into systems, breaking into healthcare organizations, theft of portable media, and improper destruction of paper records, the healthcare sector saw the largest data breach increase in 2014. With 2015 just starting out, predictions are that healthcare organizations will see another increase in the number of data breaches. While nothing can completely eliminate the risk to a healthcare organization regarding a data breach, simple steps can be put into place to manage and oversee the privacy and security protections established by healthcare organizations. By taking some simple steps with the new year, healthcare organizations can proactively manage their privacy and security programs, and deter the potential data breach from occurring. Follow the Happy New Year steps and your organization will be well on its way to effective and efficient privacy and security management of protected health information!
H – Have a strong breach investigation process defined and implemented
A – Assure regular staff training and updates on privacy and security
P – Pay attention to who has access to what information (Minimum Necessary)
P – Proactive reviews of audit logs for software that maintains protected health information
Y – Yearly risk assessment and risk management
N – Narrow access of protected health information to only get access to what is needed
E – Evaluation of privacy and security safeguards implemented to assure they are working effectively
W – Watch how people are working to determine how they are protecting health information
Y – Yearly review of business associates and the contracts that are established
E – Evaluate the use of encryption in the organization and document why, if encryption was not chosen
A – Adequate apply proper security patches and malicious software updates
R – Regular review of all HIPAA Privacy and security policies and procedures
Healthcare organizations should no longer ignore or overlook their compliance with the HIPAA regulations. In order to prevent data breaches and protect patient information, it is important that a detailed HIPAA Governance program be established. With the start of a fresh new year, it is time to re-write the HIPAA story and manage how patient information is protected!
Danika
2014 Data Breaches: A Review of a Monumental Year
Looking back at 2014, it has brought a lot of concern and fear with the effective management of protected health information managed by healthcare organizations and business associates. It has also been a memorable year for healthcare data breaches. In 2014, healthcare organizations and business associates reported 301 large data breaches (data breach that impacts more than 500 people) – an increase from the 226 large data breaches reported in 2013. With a 33% increase in large data breaches in 2014, it will also be known for the year the FBI warned healthcare organizations that they are at high risk for data breaches due to the lack of security measures and oversight of the protection of the data.
2014 Data Breach Facts
- 88 of the 301 Data Breaches had business associates involved
- 48.6% of the breaches were caused by theft
- 21.6% of data that was breached was stored on paper
- 11,506,782 people were impacted by data breaches
- 10% of data breaches were caused by Hacking/IT Incidents
- 7 States didn’t report any data breaches (MT, ND, HI, RI, VT, WV, ME)
- $7,940,220 was collected in HIPAA fines by the Office of Civil Rights
- 40 – Largest number of data breaches in one state (California)
- 4,932,154 – Largest number of people impacted in one state (Tennessee)
- 18 Data Breaches suffered by one covered entity (Oregon Health Insurance Exchange)
Data Breaches by State in 2014
| State | Number of Data Breaches | People Impacted |
| Alaska | 1 | 2,743 |
| Alabama | 3 | 55,466 |
| Arkansas | 3 | 10,713 |
| Arizona | 4 | 109,828 |
| California | 40 | 1,055,254 |
| Colorado | 6 | 41,096 |
| Connecticut | 3 | 7,390 |
| Delaware | 1 | 1,667 |
| Florida | 29 | 216,210 |
| Georgia | 10 | 365,793 |
| Iowa | 4 | 7,087 |
| Idaho | 1 | 6,900 |
| Illinois | 14 | 67,059 |
| Indiana | 11 | 268,208 |
| Kansas | 3 | 18,894 |
| Kentucky | 6 | 10,005 |
| Louisiana | 3 | 17,051 |
| Massachusetts | 12 | 62,189 |
| Maryland | 4 | 259,533 |
| Michigan | 4 | 11,688 |
| Minnesota | 5 | 25,446 |
| Missouri | 6 | 49,895 |
| Mississippi | 2 | 4,250 |
| North Carolina | 6 | 27,726 |
| Nebraska | 1 | 2,125 |
| New Hampshire | 2 | 1,979 |
| New Jersey | 5 | 76,314 |
| New Mexico | 3 | 4,040 |
| Nevada | 1 | 800 |
| New York | 19 | 247,268 |
| Ohio | 12 | 49,532 |
| Oklahoma | 1 | 6,000 |
| Oregon | 4 | 6,721 |
| Pennsylvania | 10 | 39,902 |
| South Carolina | 3 | 270,978 |
| South Dakota | 1 | 620 |
| Tennessee | 8 | 4,932,154 |
| Texas | 28 | 2,272,685 |
| Utah | 3 | 796,132 |
| Virginia | 8 | 22,688 |
| Washington | 6 | 22,771 |
| Wisconsin | 1 | 2,400 |
| Wyoming | 1 | 2,700 |
With 2015 looking to be another eventful year of HIPAA data breaches and HIPAA enforcement, healthcare organizations need to assure they are evaluating and implementing effective HIPAA oversight and governance programs. It is essential that no matter what the size of the organization – large or small – protection of the privacy and security of patient information needs to be a front leader in the 2015 strategies.
Information Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Danika