There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA.
An article in Data Breach Today discusses a number of state HIPAA enforcement cases. Here are some of the ones discussed:
Massachusetts — $75,000 settlement with McLean Hospital for a data breach involving 1,500 victims based on an employee who routinely took home unencrypted backup tapes with PHI. From the state press release:
The AG’s complaint alleges that McLean, a psychiatric hospital in Belmont, allowed an employee to regularly take home eight unencrypted back-up tapes containing clinical and demographic information from the Harvard Brain Tissue Resource Center that the hospital possessed. The tapes contained personal information such as names, social security numbers, diagnoses and family histories. When the employee was terminated from her position at McLean in May 2015, she only returned four of the tapes, and the hospital was unable to recover the others.
New Jersey — $100,000 settlement with EmblemHealth for a 2016 breach involving 81,000 victims. Details from the state’s press release:
The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.
The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)
During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file.
New York – $575,000 settlement with EmblemHealth for a breach by its business associate. From the state press release [link no longer available]:
EmblemHealth is one of the largest health plans in the United States. On October 13, 2016, it discovered that it had mailed 81,122 policyholders, including 55,664 New York residents, a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage (“EOC Mailing”) that included a mailing label with the policyholder’s social security number on it. Normally, all mailings include a unique mailing identifier that is printed on the envelope. However, in this case, the mailing inadvertently included the insured’s Health Insurance Claim Number, which incorporated the insured’s social security number.
Pursuant to the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), EmblemHealth is required to safeguard patients’ protected health information, including social security numbers, and utilize appropriate administrative, physical and technical safeguards. In connection with its 2016 EOC Mailing, EmblemHealth failed to comply with many of the standards and procedural specifications as required by HIPAA. Printing an individual’s social security number on “a postcard or other mailer not requiring an envelope, or visible on the envelope, or without the envelope having been opened” also violates New York General Business Law § 399-ddd(2)(e).
New Jersey — $418,000 settlement with Virtua Medical Group for a data breach involving a vendor, Best Medical Transcription; $200,000 settlement with the vendor. From the state’s press release:
The server misconfiguration occurred in January 2016. All potentially affected patients, which included 1,617 New Jersey residents, were notified about the security breach in early March 2016.
The Division alleged that VMG’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information (“ePHI”) it sent to a third-party vendor, and its failure to implement security measures to reduce that risk, violated the federal Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule. . . .
The VMG privacy breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at the three VMG practices, updated software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password.
After the FTP Site became unsecured, anyone who searched Google using search terms that happened to be contained within the dictation information
The settlement with Best Medical Transcription involved a notable and non-typical sanction — it permanently barred the owner from doing business in New Jersey. From the press release:
After the FTP Site became unsecured, Internet searches using search terms containing any of the dictation information, such as patient names, doctors’ names or medical terms, would have been able to locate, access and download the exposed documents from the FTP Site, the Division investigation found.
On January 22, 2016, VMG received a phone call from a patient indicating that her daughter found portions of her medical records from Virtua Gynecological Oncology Specialists through a Google web search. The Division’s investigation found that at that time, VMG was not aware of the source of the information viewed by the daughter because Best Medical Transcription had not notified them of the security breach.
Massachusetts — $155,000 settlement with Yapstone Holdings, Inc. for a breach exposing PHI. Details from the state’s press release:
The AG’s Office began its investigation after Yapstone notified the office of the incident in 2015. The investigation revealed that in July 2014, while modifying Yapstone’s website, the company’s engineers accidentally removed password protections from public-facing websites used to sign users up for Yapstone’s service. These websites stored consumers’ personal information, such as bank account and social security numbers, addresses, and driver’s license numbers. The mistake rendered the webpages publicly viewable to anyone on the internet for more than a year. The investigation found that Yapstone employees appeared to have been aware of the vulnerability in August 2014 but neglected to fix it until August 2015, when another employee discovered it.
And here are a few more in this article by Healthcare Info Security:
New York — $200,000 settlement with The Arc of Erie County for a breach involving 3,000 people for PHI accessible online for about 3 years
New York — $1.5 million settlement with Aetna for revealing in a mailing that 2,460 patients were HIV+. Patient HIV status was revealed via an address window in the envelope that was too large.
There are many more state enforcement actions, more than there are hours in the day to write about. The above are just a few.
It seems that a few states are stepping forward in enforcement: New York, New Jersey, and Massachusetts. There are other states too, but then there are some states that have been completely silent on enforcement. State enforcement is a valuable component of the overall enforcement of a federal law, but state enforcement can be spotty and inconsistent.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.