Huge HIPAA Data Breach & 2014 Audits

Avoid a Costly HIPAA Data Breach with a Risk Analysis

By Mike Semel
Twitter: @SemelConsulting

Do you think that HIPAA is just some annoying and expensive government intrusion without any cause? Do you think that all patient data is stored securely in your Electronic Health Record (EHR) system?  Do you wonder why the government requires secure e-mail systems for healthcare rather than letting everyone use Gmail, which of course is free and could lower costs?

Advocate Health Care - Huge HIPAA Data Breach & 2014 AuditsThe New HIPAA Data Breach Poster Child

In July, Advocate Health Care, a leading Illinois-based health care provider, had a burglary at one of its medical offices that resulted in the theft of four desktop computers. Note that these weren’t servers in a secure data center. Four million patient records were breached, including names, diagnostic information, and Social Security Numbers. The second largest HIPAA data breach ever. Four million records. Including Social Security Numbers. On desktop computers in a medical office. No kidding.

So far Advocate is paying millions of dollars for credit monitoring for its victims. The Advocate HIPAA data breach is being investigated by the federal government and the Illinois Attorney General. A class-action lawsuit has already started. It probably won’t help that Advocate’s first announcement—a month after the burglary, which gave them time to determine the extent of the problem—  said no medical information was lost. Shortly thereafter it was reported that medical information was at risk. Nor will it help that one of Advocate’s executives said that the patient information should not have been on those computers to start with.

A HIPAA data breach of four million patient records on desktops in a doctor’s office? This is why HIPAA requires a Risk Analysis to identify the locations of patient data throughout a health care and (now) business associate organization. Once protected data is located then you need to determine how to secure it. The easiest way is simply to move patient data to more secure servers that are physically locked down in data centers and technically locked down with passwords and encryption. There are tools that can be easily deployed to block local systems from storing data. If the data was not on those four PC’s, Advocate would have had a negligible loss. Instead, this HIPAA data breach is likely to cost more than $ 100 million.

It is ironic that Advocate advertises itself as “Inspiring Medicine. Changing Lives.” Advocate has just changed four million lives by making its patients worried about ruined credit scores, and feeling violated, helpless, and angry. Advocate will be out millions of dollars and careers may be ruined. Had Advocate complied with HIPAA’s requirement for a Risk Analysis this HIPAA data breach may have been avoided.

2014 Audits

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that HIPAA audits will take place after January 1, 2014, not at the beginning of the federal Fiscal Year 2014, which starts October 1, 2013.

Leon RodriguezLeon Rodriguez, director of OCR, a former prosecutor and the ‘Chief HIPAA Enforcer,’ said that audits will be expanded because his agency can now spread the HIPAA data breach fine money it collects across multiple fiscal years. Last year OCR’s budget was $ 38 million not counting the $ 4 million in civil penalties it collected in fines. Rodriguez said he will be asking for a budget increase for 2015.

Audits will be expanded past the 115 pilot audits that took place in 2012. For the first time, Business Associates are directly liable for HIPAA data breaches and will be included in the auditing program.

“One focus in the audits will be on risk analysis,” Rodriguez said, sending a clear message about the importance of a Risk Analysis, the first requirement in the HIPAA Security Rule.

HIPAA has required a Risk Analysis since 2005, including annual reviews and updates whenever something significant changes. Meaningful Use requires a Security Risk Analysis as a required Core Measure. Many practices have never done one. Attesting for Meaningful Use but not doing a Security Risk Analysis is Medicare fraud.

The National Institute for Standards and Technology (NIST) has published a 95-page guide to doing a Risk Analysis. The Office of the National Coordinator (ONC) has provided guidance that a simple checklist cannot be used as a Risk Analysis, and  “…doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

When we conduct Risk Analyses we sometimes doubt the answers provided by the medical practice. Our experience has led us to do our own searches and we find patient data in many areas not thought of by practice administrators and even IT techs. Many practices don’t realize that there is a hard drive in their copier, which was the basis for a recent $ 1.2 million HIPAA data breach penalty. Advocate did not know that four million patient records were on desktop PC’s in a doctor’s office, and after the theft said the records should have been stored more securely.  Many doctors are having their e-mail forwarded to their webmail accounts, or sent in text messages, both HIPAA data breaches.

GMail logoGmail

There is nothing wrong with Gmail, but it is not an appropriate tool for sending patient data. Even if you think you are only going to send messages desk-to-desk within your practice, Gmail is web-based and every message leaves your network, is stored on a Google server somewhere in the world, and then returns to your network for delivery.

Google will not sign a HIPAA Business Associate Agreement, and, worse, its terms and conditions allow Google publish any information you store on its system. So, using Gmail while not being able to get a signed Business Associate Agreement is enough to be a HIPAA data breach, but agreeing to terms and conditions that electronic Protected Health Information you send through Google can be published for all to see takes the cake.

Free can be very expensive. In 2012 a cardiac practice in Phoenix paid a $ 100,000 HIPAA data breach penalty for using Gmail and using a Google calendar to schedule patient appointment. A key finding was that the practice had not done a HIPAA Risk Analysis.

These HIPAA data breaches, their associated costs, and resulting embarrassment and career suicide, might have all been avoided by a proper HIPAA Risk Analysis. Since it will be the primary focus of the 2014 HIPAA audit program, it might be a good time to get yours done now by an experienced professional.

Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) Mike is certified in Business Continuity planning and helped develop the CompTIA Security Trustmark. Semel Consulting offers a managed compliance service called HIPAA SOS, compliance audits, Meaningful Use Security Risk Analysis, continuity planning. Visit or more information. 

HIPAA Security Training
Check out the 4Med HIPAA online curriculum for medical staff, professionals and BAs. All courses are modular, allowing students to stop and start at their own pace and on their own schedule. Click here to learn more. Use discount code HITECH to receive 20% off.