The data security breaches in healthcare keep occurring. Now certain practices and hospitals are finding themselves on the Department of Health and Human Services’ “wall of shame.” This website lists health data breaches affecting 500 or more individuals.
HHS.gov maintains this interactive wall of shame for healthcare data breaches. We counted 15 in the last 30 days after searching by date. (click to enlarge image)
Medscape had a recent article that sums up how a small southern physician’s practice ended up on the wall of shame. It also goes into detail as to what type of breach occurred. Let’s see what this breach included:
“Because more than 500 patients’ PHI was involved, government publication requirements kicked in. Each patient had to receive a breach notification letter as well. The incident had to be reported to the Office of Civil Rights (OCR) in the Department of Health and Human Services. OCR then published information on its website about the mistake. The location where such events are posted is often referred to as the “Wall of Shame.” Here the practice’s error will reside for years to come.”
How serious is this? As of June of this year, Health Info. Security did a tally of the Wall of Shame site, “health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.” They further report that as of June 23, “about 52 percent of breaches on the tally listed “theft” as the cause.”
Of course, we hear a lot about the big cases like the Anthem breach and Premera Blue Cross. But as Pacific Standard Magazine reports small breaches also take their toll. They’re hard on the victims, and also on the provider’s wallet. The article details the plight of a few people who were victims. Those responsible for the incidents snooped their records. Then, they took questionable actions:
“After being attacked on Facebook (for allegedly being HPV positive), Frances contacted Indianapolis lawyer Neal Eggeson. He had won jury verdicts for people whose medical information was improperly disclosed. Eggeson contacted the hospital and, without filing suit, secured a confidential settlement for Frances. (He asked that the facility not be named in this story.) Frances’ former friend no longer works there, she said.”
What breached information are we dealing with? A breach is, generally, an impermissible use or disclosure under the Privacy Rule. The rule compromises the security or privacy of the protected health information. In addition to HHS and OCR reviewing these matters, HHS.gov’s website explains that the FTC — Federal Trade Commission — may also be involved in enforcement:
“The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.”
Are you susceptible to a healthcare data breach or hacking it incidents? Eagle Consulting Partners offers a range of HIPAA security consulting services and products. Our services will help your practice, hospital and related organization proactively deal with these concerns.
