Tag Archives: data loss

Massachusetts AG Fines Beth Israel Deaconess Medical Center $100,000

Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.

“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” AG Coakley said. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”

According to the complaint, in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

Although the hospital’s policy and applicable law required employees to encrypt and physically secure laptops containing personal information and protected health information, the physician and members of his staff were not following these policies. BIDMC did not notify patients about the data breach as required under state and federal data breach notification laws until August 2012.

The lawsuit was filed under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.

The AG’s Office is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.

TD Bank Enters into Assurance of Voluntary Compliance with Nine AGs for 2012 Breach

TD Bank, N.A. (the Bank) has entered into an Assurance of Voluntary Compliance (Assurance) with nine attorneys general to settle allegations that the company violated various state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The assurance follows an investigation into the policies, procedures, and practices of the Bank following an incident in which a locked bag containing two backup tapes with the personal information of 260,000 customers went missing from the Bank premises in March 2012. The Assurance requires, among other things, TD Bank to pay $850,000 to the attorneys general.

UK MOJ Fined £180,000 for Lost Back-Up Hard Drive

The UK Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice following the loss of an unencrypted back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The incident followed a similar case in October 2011, when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down prison in Surrey.

In response to the first incident, in May 2012 the prison service provided new hard drives to all 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. But the ICO’s investigation into the latest incident found that the prison service didn’t realize that the encryption option needed to be turned on to work correctly.

Medical Assistant Allegedly Tied to Identity Theft at Virginia Healthcare Provider

According to a report from Healthcare Info Security, Riverside Health System, a healthcare provider that operates several hospitals and other care facilities in Virginia, is notifying 2,000 cancer patients about a breach that involves alleged identity theft by a medical assistant who worked at Riverside’s Cancer Specialists of Tidewater oncology practice. The Chesapeake Police Department notified Riverside on June 6 that it was investigating several ID theft cases, and all the victims were patients at the cancer practice. To date, 13 people have reported ID theft to the police. The medical assistant, who has since been fired by Riverside, was authorized to access the data of patients treated at the cancer care practice.

Potential Steps to Prevent Inappropriate Access

The most obvious way to reduce the risk of inappropriate access is to restrict access to records based on an individual’s role and the sensitivity of the data. Additional steps include:

  1. Conducting background checks for employees that interact with patient information as part of their job responsibilities.
  2. Implementing data loss prevention solutions to restrict the flow of ePHI in unauthorized ways, such as to USB storage devices and e-mail.
  3. Communicating and enforcing privacy and security policies.

Kirk Nahra, a partner at Wash. D.C. law firm Wiley Rein LLP, shares ways to communicate and enforce such policies. “In the best practices area, that’s a mixture of audits, training, investigations, responding to complaints and sanction policies-making to ensure employees know [inappropriate access] will not be tolerated, even if it’s for an innocuous reason like checking on [the records of] Aunt Sally.”

Rhode Island Hospital to Pay $150,000 to Settle 2011 Breach Allegations

Women & Infants Hospital of Rhode Island (WIH) has agreed to pay $150,000 to resolve allegations that it failed to protect the personal information and protected health information of more than 12,000 patients in Massachusetts (press release). The consent judgment resulted from a data breach reported to the MA Attorney General’s Office in November 2012. Breached information included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images.

In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers. In the summer of 2011, these back-up tapes were to be sent to a central data center at WIH’s parent company. Due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Because of deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012.

Key Takeaways: AGs are increasingly enforcing data protection laws and regulations, sensitive information leaving facilities must be protected (encrypted), employees should be trained to report data privacy and security incidents immediately.

14% of All Debit Cards Exposed in Breaches in 2013

According to the 2014 Debit Issuer Study commissioned by PULSE (see article at Cuna.org), 14% of all debit cards were exposed in data breaches in 2013, compared with 5% in 2012.

The study also found that:

  • 84% of financial institutions reissued all exposed cards in response to the Target breach, compared with only 29% that typically reissue all exposed cards as a standard response to breaches.
  • 86% of participating U.S. issuers plan to start issuing EMV debit cards within the next two years, and most will begin EMV debit issuance in 2015.

Hospital Backup Tapes Missing

Unencrypted backup tapes have gone missing from two Women & Infants Hospital ambulatory sites. An investigation and search of the facilities was unable to locate the missing items. The backup tapes from their Providence, Rhode Island and New Bedford, Massachusetts locations contained patient names, dates of birth, dates of exams, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers. The losses mean that the hospital no longer has the ultrasound images, but they do still have the full report of the ultrasound and its findings in their patients’ electronic medical record.

Best practice – Encrypt backups containing sensitive information.