NJ medical group fined $418K for HIPAA business associate error

Virtua Medical Group, comprised of more than 50 medical practices across New Jersey, agreed to a fine of more that $418,000 by the state attorney general. An investigation found that the records of about 1,600 patients were exposed. What makes this situation unique, however, is that the server in question was operated by a third-party business associate - in this case a transcription vendor. 

The Virtua breach occurred in January 2016 when transcription services vendor Best Medical Transcription updated the software associated with a File Transfer Protocol (FTP) website which inadvertently reconfigured the server to allow access without a password so patient records were searchable via Google. Even after Best Medical fixed the misconfiguration shortly after it was discovered, cached indexes of the records remained accessible on Google.
But the company never notified Virtua. Instead, the medical practice found out about the breach after a patient’s mother called to report she found portions of her daughter’s medical record online. Two weeks later, Virtua notified law enforcement and individually removed each patient’s information from Google’s cache.
Still, state prosecutors alleged that, among other violations, the provider was delayed in responding to the breach and failed to maintain a written log of when the FTP site was accessed. In addition to paying the fine, Virtua is required to hire a third-party professional to analyze the group’s security risks.

No fine for Best Medical? Business Associates are expected to adhere to the same standards as Covered Entities, though it appears in this case they got off easy. Is it an anomaly? If anything, it is a clear signal to Covered Entities that they must be properly vetting their Business Associates to ensure that they are working with organizations who understand and can comply with HIPAA requirements. 

Verizon Report: Insider breaches prove troublesome for healthcare

Verizon has released their yearly Protect Health Information Data Breach Report. The results show that the healthcare sector is unique from other industries in that insider threats were more common than external ones, comprising about 58% of healthcare breaches. But why?

From a standpoint of internal actors, the access that healthcare workers have to personal information of patients affords a convenient means to commit fraud of various types (for example tax return fraud or opening lines of credit). Insiders are also frequently prone to curiosity, and the accessing of patient data outside of their job responsibilities is reflected in the 94 instances where fun is the motive behind the data breach. For example, the admission of a family member, acquaintance or well-known personality into a hospital can present a temptation for employees who have technical access to that patient’s health record but no direct role in providing care or services to that patient. Any unwarranted access into that patient’s record simply to appease their curiosity would be (and is) considered a breach. Lastly, convenience as a motive comes into the picture when insiders do something that will make it easier for them to get their work done, but as a consequence also puts data at risk. An example would be violating data handling policies by storing sensitive data on unapproved hardware. 

So how can the healthcare industry stop these insiders from exposing protected data? While technical safeguards will certainly help, it is really up to the people inside an organization to do their part. Proper training and awareness of HIPAA and data security best practices are essential to ensuring patients' data remains secure. 

NY Attorney General: Record number of data breaches in 2017

New York Attorney General Eric Schneiderman said Thursday that there were a record number of data breaches in his state during the year 2017. In his report titled “Information Exposed: 2017 Data Breaches in New York State,” Schneiderman reveals that 1,583 breaches were reported to his office in 2017, impacting the data of 9.2 million New Yorkers. 

Indicating that current laws are inadequate, Schneiderman's office also introduced new legislation with stricter reporting requirements for any organization doing business with New York residents: 

However, current law does not require most companies to maintain reasonable data security, except if the company collects social security numbers. Companies also are not required to report breaches of certain critical data types, including username-and-password combinations, and biometric data like the fingerprint you use to unlock an iPhone.
To address these inadequacies in the law, my office introduced the Stop Hacks and Improve Electronic Data security, or SHIELD Act, which would require companies to adopt administrative, technical, and physical safeguards for sensitive data. These standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not.
The standards are tailored to the sensitivity of the data retained and the size and complexity of the business. The SHIELD Act also expands the types of data that trigger reporting requirements in the event of exposure to include username-and-password combinations, biometric data, and HIPAA-covered health data.
My office is also preparing new legislation that would require companies like Facebook to notify my office, and in turn consumers, as soon as they learn that their users’ personal data has been misused. 

With an increasing number of states across the nation introducing their own information and data security regulations, where does this leave HIPAA? It is crucial for healthcare entities to understand the requirements of each regulation but following one does not mean the other can be ignored.