What Happened: In 2015, PBC filed a breach report on its own behalf claiming that cyber-attackers gained unauthorized access to its IT system. A phishing email was used to install malware giving the hackers unlimited access to the IT system and remain undetected for more than nine months. The cyberattack resulted in the disclosure of more than 10.4 million individuals’ PHI; such disclosed information included the individuals’ names and addresses, social security numbers and bank account information. The eventual settlement included a $6.85 million penalty and a two-year corrective action plan.
Takeaways for ASCs: This was a serious breach and resulted in the second largest HIPAA violation settlement in OCR history. Breaches in security affect healthcare providers large and small. Identifying potential security vulnerabilities, whether human or technological, are essential to prevent hackers from gaining access to PHI and remain undetected. ASCs can help combat against phishing by staying vigilant, reporting any suspicious emails and implementing risk management strategies.
What Happened: OCR conducted an investigation into the New Haven Health Department after a breach report was filed claiming a former employee accessed a computer containing PHI. The investigation revealed that the individual returned to the health department after being terminated and used their still active login credentials to download patients’ PHI including names and addresses, dates of birth and sexually transmitted disease test results onto a USB drive. The investigation also found that the former employee shared their login credentials with an intern who continued to use the active username and password to further access PHI. The city agreed to a more than $200,000 settlement and a two-year corrective action plan.
Takeaways for ASCs: ASCs have to be aware of and monitor which staff members have access to patient data. As employment ends, it is imperative that ASCs terminate access to any sensitive documents. In this case, the failure to do so resulted in two individuals accessing and downloading the PHI of hundreds of patients for weeks without detection. Implementing termination procedures and utilizing unique user identification would help ASCs ensure that the proper individuals are safely accessing PHI.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resource page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.