Alaska’s Department of Health & Human Services (DHSS), the state’s Medicaid agency, will pay $1.7 million to the U.S. Department of Health & Human Services (HHS) after reporting a USB hard drive containing personal health information (PHI) was stolen from a state employee’s car. This is the first fine levied by the Office of Civil Rights (OCR) against a state agency.
June 29th, 2012
An improperly secured server maintained by the Utah Department of Technology Services (DTS) was hacked into on March 30, compromising personal health information (PHI) of thousands of people. The victims are likely to be Medicaid or Children’s Health Insurance Program (CHIP) recipients who have visited a health care provider in the past four months, and individuals whose provider recently verified his or her Medicaid status.
“It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen,” reported the Utah Department of Health (UDOH) in an April 9 press release. “Less-sensitive” PHI may include names, dates of birth, and addresses.
The health department originally thought 24,000 individual claims had been compromised, according to an April 4 press release. Further investigation determined that 24,000 files had been removed, according to an April 6 press release, and each file can potentially contain claims information on hundreds of people. This increased the number of possible ID theft victims considerably.
According to the press release, the state will be sending letters directly to victims as they are identified. The DTS and UDOH warn that no one will be calling or emailing identified victims and asking for personal information.
Medicaid clients can call 1-855-238-3339 to find out if their information has been compromised. Additional information about the data breach can also be found on the UDOH website.
April 12th, 2012
Greater numbers of health care providers adopting smartphones and tablets (such as the iPad) means greater concerns about the security of patient health information stored on such devices. And, as reported by Pamela Lewis Dolan of amednews, if a portable device gets lost (or worse, stolen), you can be fairly certain that whoever finds it will try to access the information contained within it.
Dolan’s article, “How to ensure a lost mobile device won’t cause a data breach” notes that data encryption is the best tool to guard against a data breach. Under the Health Insurance Portability and Accountability Act (HIPAA), encryption is strongly encouraged, and is required unless there’s a technology limitation or some other compelling reason encryption is not possible. Under federal law, the presence of encryption is a safe harbor that would negate a health care organization’s obligation to report a data breach.
Unfortunately, encryption of mobile devices poses technical difficulties, at least in the present; however, there are additional steps you can take to secure mobile devices. Dolan offers the following:
- Pick the right device: Some devices have encryption for all or some data, while others require downloading apps to provide the service. Reading reviews at the app stores and getting advice from previous users and employees at the mobile phone companies will help find the best solutions.
- Use a passcode lock, and set the device to lock or remotely wipe the memory after several failed login attempts.
- Add a second layer of protection between the main menu of the phone and access to confidential files and apps. Many smartphone apps offer automated logins, which means that you can enter a website without having to provide a password. Enacting a required login to apps that carry sensitive information improves security.
- Before donating or selling a used device, restore the operating system to the factory settings. Without this step, you can never be sure the new owner won’t have access to data previously stored on the device.
- Talk to an attorney to help ensure that any privacy and security protections placed on your mobile devices are HIPAA-compliant.
Sidebar: The Office of the Chief Privacy Officer (OCPO) for the Office of the National Coordinator for Health Information Technology (ONC) recently launched a privacy and security mobile device project. The project builds on the existing U.S. Department of Health & Human Services (HHS) HIPAA Security Rule – Remote Use Guidance and is designed to identify privacy and security good practices for mobile devices.
Event videos and materials from the March 16 Mobile Devices Roundtable are available online.
March 29th, 2012
In today’s technological environment protecting patient’s data and information is vital for physicians. Recently, some 16,000 UCLA health patients had their data breached. AAPC Physician Services regional director Charla Prillaman, CPCO, CPC, CPC-I, CCC, CEMC, CPMA, CHCO spoke about this problem with the National Notary Association.
“Any data on a thumb drive or mobile device should be encrypted, and password access should be required on any company-issued mobile devices—after all haven’t we all heard of anyone losing their smart phone?” stated Prillaman in the interview.
Read the full article from the interview here.
January 5th, 2012
As a reminder of the perils surrounding protected health information (PHI), Stanford Hospital & Clinics is facing a very expensive lawsuit for a data breach affecting approximately 20,000 patients.
A spreadsheet containing the protected information of patients seen in the emergency room from March through August 2009 was posted as an attachment to Student of Fortune, a website for students seeking help with homework, as part of a question about how to convert the data into a bar graph. The spreadsheet contained names, diagnosis codes, account numbers, and admission and discharge dates. The data did not include social security or credit card numbers. The spreadsheet was posted Sept. 9, 2010 and remained on the site until Aug. 22, 2011, when it was discovered by a patient.
October 14th, 2011