When people go to their doctors, they assume their information is protected. They freely and willingly provide personal information, like social security numbers. Their primary concern is their health and so they literally trust their lives in the hands of medical professionals and providers. This assumption that patient data is protected may be derived from the assumption that medical facilities are all aligned and in compliance with Health Insurance Portability and Accountability (HIPAA). Everyone signs the HIPAA forms and so everyone assumes — even without thinking it — that they are protected and that the medical facility and/or medical providers are in compliance. Indeed, medical providers may believe they are in compliance and their patient data is protected until it happens: the data breach. Instantly, hundreds and thousands and even millions of patients’ information is compromised. Not to mention: the medical entity where the breach occurred may be held liable for it.
Just recently, a data breach was investigated and confirmed at Valley Hope Association. It’s a Kansas-based nonprofit organization that treats patients with drug and alcohol addictions. They have 16 facilities located in seven states:
Patients number in the thousands across these seven states. As of the last week of January 2019, the organization has been notifying these patients — former and current — that there was a data breach and their information may have been accessed.
It all started in October 2018. An employee’s email account had suspicious activity. The investigation commenced with this employee’s email account. On November 23, 2018, it was confirmed: a cybercriminal hacked into the employee’s email account, and from there, was able to access patient information. The information compromised includes:
These kinds of breaches are the beginning of identity theft. When it happens in medical facilities, it is all the more stressful because these are patients dealing with health issues. Identity theft is not a matter they want to deal with on top of their health issues. Following the breach, Valley Hope has taken two steps:
Unfortunately, the Valley Hope Association’s breach of patient data is not an isolated event. Many other medical facilities across the country have experienced data breaches. Examples of patient data breaches that occurred in 2018 include:
These are just a few of the many security breaches of patient data that occurred in 2018. As can be understood from these examples, healthcare is a lucrative target for hackers, and as technology advances, so do the hackers’ capabilities. That’s why it is imperative that medical facilities, providers, and professionals take steps to ensure their outsourced IT services providers offer all the latest technology to secure patient information.
The HIPAA Privacy Rule sets out to protect “individually identifiable health information” in the possession of a covered entity or its business association regardless if this health information is in electronic or paper form or transmitted orally. Covered entities include:
The individually identifiable health information is known as protected health information or PHI. According to HHS, PHI includes demographic information relating to:
Covered entities must take measures to protect PHI. Traditionally, a covered entity breached HIPAA regulations when PHI was accessed by an unauthorized person due to unsecured PHI. When this happens, the covered entity is responsible for a breach in HIPAA regulations. But this responsibility is not as straightforward when the breach is made by ransomware or other malware activity. If the covered entity is found to be in violation of HIPAA due to these data breaches, then heavy financial fines may be imposed along with other required corrective action. Depending on the size of the entity and the amount of the fine and other imposed penalties, a data breach could be detrimental not only to the patients whose information was compromised but to the survival and existence of the facility, provider, or professional.
Medical facilities or any covered entity and their business associates have options when safeguarding their patient data. These options should be interpreted into a plan of action.
Ultimately the responsibility comes down to the party in possession of the patient data and covered by HIPAA regulations. Don’t let what happened to Valley Hope Association happen to you. Start the new year off right: make sure your PHI is secure and safe.