What We can Learn from Lahey Hospital and Medical Group’s $850,000 Breach

By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA ChatJoin us on the next broadcast.

The Office of Civil Rights (OCR) has issued a press release saying that following a security breach, Massachusetts-based Lahey Hospital and Medical Group has agreed to a settlement with OCR that requires it to pay $850,000 and make a “robust” corrective plan to restructure its HIPAA compliance strategy. According to Bloomburg BNA, the plan went into effect on November 19, 2015, and will continue for 2 years, unless Lahey suffers another security breach.

What Happened?
In August 2011, Lahey reported that someone had a laptop during the night. The laptop was part of a portable CT scanner system and contained the ePHI of 599 individuals from a portable CT scanner workstation. They had stored the mobile workstation in an unlocked room overnight. After Lahey reported the theft, OCR conducted their own audit of Lahey and found them responsible for several flaws in their HIPAA compliance.

OCR’s Verdict
In their own words, here is what OCR says were Lahey’s six flaws in HIPAA compliance:

  1. Failure to conduct a thorough risk analysis of all of its ePHI.
  2. Failure to physically safeguard a workstation that accessed ePHI.
  3. Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment.
  4. Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident.
  5. Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  6. Impermissible disclosure of 599 individuals’ PHI.

What We Can Learn From Lahey
In the press release, OCR Director Jocelyn Samuels makes it a point to say that covered entities must protect the ePHI found in portable workstations, and computers connected to medical equipment. We want to reinforce her statement by pointing out that access controls and data authentication would have been excellent steps in keeping this ePHI safe. Also, while it is easy to take physical security for granted, storing such a vulnerable system in an unlocked room is an inexcusable flaw that could have been easily prevented. Here is a brief introduction to HIPAA’s physical safeguards for ePHI, to help you get reacquainted with what HIPAA expects from its covered entities.

Source: HIPAA Settlement Reinforces Lessons for Users of Medical Devices | HHS.gov

This article was originally published on Health Security Solutions and is republished here with permission. Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.