For those in the healthcare industry, the privacy and security of information is vital to operations, but the importance and value of health information also makes the industry a prime target for threats. Studies suggest that the vast majority of healthcare organizations have experienced one sort of data breach or another. In fact, a May 2016 report from the Ponemon Institute found almost 90% of healthcare organizations had experienced a breach in the preceding two years, and 45% experience more than five breaches in the last two years. Healthcare providers are also increasingly under attack by “ransomware” or “denial of service” attacks which lock up systems and hold them hostage until a ransom is paid to unlock them. And while various agencies, including the FBI, recommend that providers not pay the demands of cyber criminals who execute ransomware attacks, this may not be a feasible option for providers who have failed to maintain robust data back-up systems. Furthermore, the Office for Civil Rights has issued guidance that indicates that ransomware attacks need to be treated as security incidents and analyzed under HIPAA’s breach notification rule, although it recognizes that it is a fact-specific matter as to whether the incident will require notification to patients (and the OCR). Finally, healthcare organizations are also subject to universal scams, such as the W-2 scam, which was previously discussed in the Password Protected Blog.
Preparing for ransomware and other attacks is not the only challenge; healthcare entities should be mindful that failure to comply with HIPAA is becoming increasingly costly. To be sure, the Office for Civil Rights (“OCR”) has substantially ramped up its enforcement efforts. Specifically, in 2016, OCR fines totaled $23 million, which is not only a new record but also roughly three times the previous record of $7.4 million (2014). Aside from nearly doubling the record of enforcement actions (from seven to 13), 2016 witnessed a new record settlement: $5.5 million, paid by Advocate Health Care System. Notably, the Advocate settlement was part of an enforcement blitz involving a settlement a week for three weeks in a row, as was previously reported in this blog. Furthermore, in August 2016, the OCR announced an initiative to target smaller breaches (those involving fewer than 500 individuals), which means that small providers should no longer think that they will be able to “fly under the radar” of HIPAA enforcement.
2017 is already off to a strong enforcement start. The OCR kicked off the year with the announcement of a (relatively modest) settlement of $475,000 for failure to make timely notifications of a breach. Then, on February 1, 2017, the OCR announced that Children’s Medical Center of Dallas (“Children’s”) had to pay a civil money penalty of $3.2 million for its failure to implement appropriate risk manage plans despite external recommendations to do so. Indeed, in 2010, Children’s experienced a loss of an unencrypted, non-password protected Blackberry device that contained protected health information of approximately 3,800 people. And, in 2013, Children’s notified the OCR of a separate breach involving the theft of an unencrypted laptop containing electronic protected health information of 2,462 individuals.
Finally, on February 16, 2017, the OCR announced a HIPAA settlement that matched the previous high-water mark for settlements: $5.5 million. In this latest case, Memorial Healthcare System settled with the OCR following a situation in which the protected health information of 115,143 individuals was impermissibly accessed by its employees and impermissibly disclosed to an affiliated physician’s office staff. According to the OCR’s announcement, the login credentials of a former employee of a physician’s office were used from April 2011 to April 2012, without detection, and resulted in the unauthorized disclosure of information regarding 80,000 individuals. Although the hospital had audit control policies in place, it failed to implement procedures for reviewing, modifying, and terminating rights of access, and it failed to regularly review system activity.
Looking Ahead: Prioritize Robust Data Privacy and Security Practices
The lesson in all of this is that no healthcare organizations should be coasting when it comes to data privacy and security activities. Not only are providers under nearly constant attack, they are also likely to be subject to more aggressive enforcement and higher penalties if the OCR discovers inadequate compliance initiatives. See additional discussion here. To be sure, with the new focus on smaller breaches and the requirement that all breaches be reported to the OCR, no healthcare organization should consider itself to be immune from an enforcement action. The solution: constant vigilance, routine training, regular updates to security risk assessments, and implementation of policies as they are written.