Tag Archives: fines

OCR Penalty: Unencrypted Laptops Result in Steep Fines for Small Breaches

The Office for Civil Rights (OCR) sent a strong message to the healthcare community with their third civil monetary penalty totaling $3.2 million.

Children’s Medical Center of Dallas – part of the seventh-largest pediatric health care provider in the nation – was on the wrong end of two data breaches caused by a lack of encryption. The hefty fine stems from the OCR’s investigation uncovering longstanding failures to comply with HIPAA’s rules.

Data Breaches

Children’s first filed a breach report with OCR in January 2010. An employee lost an unencrypted, non-password protected BlackBerry device at the Dallas airport in November 2009. The device contained the electronic protected health information (ePHI) of 3,800 individuals.

Children’s filed a separate breach report with OCR in July 2013. This time it was due to the theft of an unencrypted laptop from the premises in April 2013. The device contained ePHI of about 2,500 individuals.

In this case, it was determined several physical safeguards were in place to protect the laptop storage area – i.e. badge access and a security camera at one entrance. However, access to the area was given to members of the workforce who weren’t authorized to access ePHI.

HIPAA Violations

The OCR levied the civil monetary penalty, rather than coming to terms on a settlement, due to widespread failures related to HIPAA compliance. Specifically, OCR noted two crucial HIPAA failures:

  • Failure to implement risk management plans, contrary to external recommendations
  • Failure to deploy encryption or equivalent alternative measures of safeguard on laptops, work stations, mobile devices, and removable media until 2013

The key issue leading to the penalty was the medical provider’s failure to fix known problems for an extended period of time. Children’s had an independent firm conduct a gap analysis in 2006 and again in 2007, highlighting the risks to unencrypted ePHI by March 2007 at the latest. A separate analysis was performed in 2008 to address threats and vulnerabilities of certain ePHI.

Children’s was aware of the potential risks posed by their unencrypted devices, and failed to act until 2013.

Acting OCR Director Robinsue Frohboese noted, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

Key Takeaway

OCR hasn’t slowed down in their HIPAA enforcement so far in 2017. But this case is unique for a few reasons: The total number of affected individuals was less than 6,000, but the case involved multiple breaches of unencrypted devices, and focused on Children’s failure to mitigate known security issues.

OCR demonstrates once again they aren’t afraid of heavy fines for widespread non-compliance in safeguarding ePHI. Healthcare organizations can take this enforcement as a warning: Fix the problems you’ve identified! When your risk assessments identify gaps and vulnerabilities, address and prioritize those areas during risk mitigation efforts.

TD Bank Enters into Assurance of Voluntary Compliance with Nine AGs for 2012 Breach

TD Bank, N.A. (the Bank) has entered into an Assurance of Voluntary Compliance (Assurance) with nine attorneys general to settle allegations that the company violated various state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The assurance follows an investigation into the policies, procedures, and practices of the Bank following an incident in which a locked bag containing two backup tapes with the personal information of 260,000 customers went missing from the Bank premises in March 2012. The Assurance requires, among other things, TD Bank to pay $850,000 to the attorneys general.

UK ICO Fines Hotel Booking Website for Leaking Both PI and Encryption Key

The UK Information Commissioner’s Office (ICO) has warned organizations to protect their websites against one of the most common forms of online attack – known as SQL injection. The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers. Further, although the customers’ payment details had been encrypted, the decryption key was stored with the data, allowing the attackers to access the customers’ full card details, including the three digit security code needed to authorize online payments.

Worldview would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Former Medical Employee Fined C$5,000 for Accessing Protected Information

A former employee has been fined C$5,000 for inappropriately accessing patient files in a privacy breach at Western Memorial Regional Hospital in Corner Brook, NL, Canada.

Donna Colbourne accessed more than 1,000 patient files while working there as an accounting clerk until 2012. Judge Kymil Howe imposed a $5,000 fine on Colbourne saying “The effect of the breach is far reaching by the accused by mindless meddling into personal affairs.” The Crown wanted a $7,500 fine for Colbourne, but Howe settled on the lower fine because Colbourne did not share any of the information with anyone, and did not include medical charts or health records.

Colbourne is the first person to be convicted under the province’s personal health information act.

Update on Target Breach Costs – $148M in Expenses

As has been widely report, during the fourth fiscal quarter of 2013, Target experienced a data breach of payment card and other guest information.

In the second fiscal quarter of 2014, Target expects to record gross breach-related expenses of $148 million, partially offset by a $38 million insurance receivable. Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Target believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks.

Rhode Island Hospital to Pay $150,000 to Settle 2011 Breach Allegations

Women & Infants Hospital of Rhode Island (WIH) has agreed to pay $150,000 to resolve allegations that it failed to protect the personal information and protected health information of more than 12,000 patients in Massachusetts (press release). The consent judgment resulted from a data breach reported to the MA Attorney General’s Office in November 2012. Breached information included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images.

In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers. In the summer of 2011, these back-up tapes were to be sent to a central data center at WIH’s parent company. Due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Because of deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012.

Key Takeaways: AGs are increasingly enforcing data protection laws and regulations, sensitive information leaving facilities must be protected (encrypted), employees should be trained to report data privacy and security incidents immediately.

UK Commission fines City Council £120,000 for Unencrypted Emails

The Information Commissioner’s Office (ICO) reminds organizations that sensitive personal information should be encrypted when being stored and sent electronically. Stoke-on-Trent City Council received a monetary penalty of £120,000 for emailing unencrypted sensitive information about a child protection legal case to the wrong person. On 14 December 2011 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to Counsel instructed on a child protection case. The ICO took into account a 2010 incident at the authority in which sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick.

UK Police Force Fined £120,000

An ICO investigation at Greater Manchester Police has concluded with a fine of £120,000 for failing to take appropriate measures against the loss of personal data. According to the ICO press release, a memory stick containing details of more than a thousand people with links to serious crime investigations was stolen from an officer’s home. The device had no password protection. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.

UK Charity Fined £70,000 for Sensitive Reports Left Outside House

Norwood Ravenswood Ltd, a UK social care charity, has been served a monetary penalty of £70,000 after highly sensitive information about the care of four young children was lost after being left outside a London home. A Norwood social worker left detailed reports outside a house on 5 December 2011 after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned the reports, containing details of neglect and abuse suffered by the children, along with information about their birth families, were gone. The information has never been recovered. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.