This cannot be stressed too highly.  Covered entities and business associates MUST MUST MUST encrypt portable devices.  It’s a simple and inexpensive step, and it makes a world of difference in whether a breach is reportable or manageable.

UMMC’s public statement gives little information.  In fact, it doesn’t identify the department of the hospital responsible for the lost laptop and broadly states that the laptop could affect anyone who was treated at UMMC between 2008 and January 2013.  This is tens of thousands of people.  Such a vague and broad notice may not be sufficient under HIPAA/HITECH’s breach notification rules.  Nevertheless, the facts demonstrate another example of what NOT to do as a health care provider.

First and foremost – if your organization uses laptops, the immediate priority, if it hasn’t already been accomplished, is to encrypt every one of those laptops and other portable devices.  The UMMC laptop was not encrypted, and this will likely result in some enforcement action by OCR.

Second, after you’ve encrypted the devices in your organization, conduct a thorough asset inventory review to identify and document where each electronic device is located and to whom it is assigned, so that your organization can quickly react and assess the impact of any “breach” or similar incident.

Finally, as is the case with all these HIPAA breaches, do “dry runs” of an OCR HIPAA audit at your organization to test for yourselves whether your policies and procedures would likely be deemed compliant in the event of a breach event or random audit by the folks from Washington, D.C.

The Connecticut breach is apparently related to unauthorized access of patient records by a former employee.  The covered entity is providing free credit monitoring services to the affected individuals for two years.

FYI – I’ll be publishing a newsletter in the next couple of days giving some information about the new rules published by OCR on January 17th.  It’ll be a humdinger.

Vol1-1

Vol1-2

According to the Orlando Sentinel, the scheme involved one man paying more than $10,000 to a hospital employee and her husband over a period of approximately two years, during which time the hospital employee and her husband allegedly accessed hospital patients’ records focusing on auto accidents.  Later, the alleged criminals used the stolen information to solicit the victims of the identity theft for legal and chiropractic services.  The scheme was exposed when one of the people solicited reported the incident to the hospital.  Apparently the reporting person was the mother of another employee of the hospital and knew that the information should not have been accessible.

The notification began with the University of Michigan, who notified some 4,000 of its patients about the breach.  Then, the deluge came, with news that the stolen (unencrypted) laptop contained some 54,000 patient records from Sentara Healthcare and another 8,555 from South Jersey Healthcare.

MOBILE COMPUTING DEVICES ARE THE WEAK LINK IN HIPAA COMPLIANCE!  Take basic precautions to eliminate this vulnerability with policies addressing the risk and on-the-ground modifications to those devices to encrypt the data!

I have long cautioned providers, both in my legal practice and here on this blog, that mobile computing devices were the most vulnerable and most common area for HIPAA Security Rule compliance.  OCR’s fine in this instance makes clear that small providers have much to fear from their lack of efforts to comply with the basic requirements of HIPAA’s Security Rule.  Though not expressly stated as such, the OCR press release points out that the hospice provider made no efforts to address these security risks (related to mobile computing devices) in its policies and procedures.

Things happen.  Breaches occur.  But OCR appears to be completely unforgiving in cases where the provider made no effort to update and address its policies and procedures on these basic security issues.

It seems that one of the employees of a subcontractor for Kentucky’s Medicaid program responded cooperatively with a phishing scheme, which then led to a hacker having remote access to a computer with a database of Medicaid recipients.  Apparently, there is no indication that any Medicaid PHI was actually accessed or improperly stolen.

From http://www.healthcareinfosecurity.com/state-settles-hipaa-case-for-140000-a-5411

In 2010, the four pathology groups quickly worked to cooperate with the investigation, which ultimately showed that the billing company used by all four practices had improperly disposed of the records by sending them to a landfill without shredding or otherwise destroying the records. The Attorney General in Massachusetts completed its investigation and found the situation worthy of fines. After some negotiation, the practices and the now-defunct billing company agreed to a fine of $140,000.

OCR has issued express guidance on the proper disposal of paper-based PHI, particularly with regard to landfills. Be sure to read that info before entering into any agreements with any billing companies or waste disposal companies and require that those contractors follow the OCR-approved procedures.

The fine comes from Coventry Health Care, Inc., in Maryland, which was contracted to be sold to Aetna Insurance.  According to reports, workers at Coventry routinely sifted through Medicare database information to mine data for the intended purpose of targeting customers of Medicare set-aside products, all with the knowledge of several senior managers.  Bad, bad, bad….  The Department of Justice had been in preliminary investigation of the matter, when Coventry agreed (no doubt to grease the skids for the merger with Aetna) to resolve the matter finally for the $3M payout.  The DOJ laid down its arms and also persuaded other agencies to refrain from enforcement action as part of the deal.

On the other side of the country, in East Texas, Joneshia Cranford pleaded guilty to knowingly and intentionally gaining the protected health information of an individual for the purpose if disclosing such PHI for personal gain.  Ms. Cranford worked at a health care provider in Texas, during which employment she appears (allegedly) to have gathered PHI of at least two individuals in order to use or sell that information for identity theft activities.   Her guilty plea seems to have removed the “allegedly” part of this report.  At any rate, Ms. Cranford got sixty (60) days imprisonment and 200 hours of community service.   But in a show of mercy, the Court allowed the convict to serve the 60-day sentence intermittently on weekends during the first year of her 5-year probation, so that she could care for her minor children during the week.   How generous…