As health records move to be entirely digital and cybersecurity becomes a concern for everyone, these incidents may be precedents for how the HHS regulates similar breaches in the future.
A few trends emerge, including making accurate security risk assessments, mediation of assessed risks, monitoring system changes and following HIPAA rules once they have been implemented.
Here are the five incidents:
- Skagit County, Washington: The county in northwestern Washington state initially reported a breach involving the personal health information of seven people after the data had been inadvertently moved to a publicly accessible server maintained by the county, according to an HHS press release. The OCR opened an investigation and found that 1,581 people’s information may have been affected. Further investigation uncovered widespread noncompliance by SkagitCounty with the HIPAA privacy, security and breach notification rules. The case was settled with a $215,000 monetary settlement in March 2014.
- Concentra Health Services: Concentra’s Physical Therapy Center in Springfield, Mo., reported a laptop stolen, which led to an OCR investigation discovering that the facility’s lack of encryption across the system endangered patient data. Steps were taken to begin encryption, but the efforts were incomplete and inconsistent. OCR levied a $1,725,220 fine against the company to settle potential violations and set a corrective action plan to remedy the security gaps.
- QCA Health Plan: The insurance company based in Arkansas reported the theft of an unencrypted laptop containing 148 people’s protected health information from a worker’s car in February 2012. QCA encrypted the rest of its laptops after the breach, but OCR’s investigation found that QCA failed to comply with multiple HIPAA privacy and security regulations between 2005 and 2012. QCA settled the case with a $250,000 payment and an agreement to send an updated risk analysis and risk management plan to HHS as well as retrain its workforce.
- NewYork-Presbyterian Hospital/Columbia University: The two New York City facilities filed a joint breach report in September 2010 disclosing a data breach involving 6,800 people, including clinical data. The two are separate entities but ColumbiaUniversity physicians also serve as attending physicians at NewYork-Presbyterian Hospital. When a physician tried to deactivate a personally-owned computer server on the network containing patient data, the information became available on Internet search engines. NewYork-Presbyterian Hospital paid a $3.3 million settlement and ColumbiaUniversity paid a $1.5 million settlement, with both agreeing to a corrective action plan in May 2014.
- Anchorage Community Mental Health Services: The facility in Anchorage, Alaska, reported a breach affecting 2,743 people after a malware virus affected its IT system. The OCR investigation found that ACMHS had implemented HIPAA security rule policies in 2005 but had failed to follow them and that ACMHS had failed to update its IT system to be secure. The settlement included a $150,000 payment and an agreement for the facility to report its compliance to the OCR for two years.
