Document Disposal Company Responsible for old Patient Records found in Park

Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth ("Texas Health Fort Worth") earlier this month of a breach of their health information.  Only patients seen between 1980 and 1990 whose records were maintained on microfiche are affected or potentially affected by the breach. 

Texas Health Fort Worth's business associate, document destruction company Shred-It, was contracted to dispose of the old microfiche records. As reported by the Star-Telegram, because the microfiche could not be destroyed on-site, Shred-It was to transfer them to another facility for destruction.  

Somehow "lost" or misdirected during transit, the records found themselves in a park where a concerned citizen found them and contacted the Dallas police.  Records were reportedly found in at least two other public locations, and contained names, addresses, Social Security numbers, birth dates and health information. As Texas Health Fort Worth stated in a press release,   

We have no knowledge that any of the information included on the microfiche has been accessed or used inappropropriately.  Furthermore, microfiche is no longer commonly used and specialized equipment is needed to read the information it contains. 

While certainly it is unlikely that the average Joe has access to microfiche equipment, it is inexcusable that the records wound up in a park, of all places, to begin with. Although Shred-it "assured" Texas Health Fort Worth that it took appropriate action as a result of the incident, Texas Health Fort Worth has switched vendors.  I would expect other hospitals in the area to follow suit. It remains to be seen whether OCR will investigate Shred-it for this incident. 

Utah Medicaid Claims Data Hacked Affecting Over 24,000

The Utah Department of Health (UDOH) has experienced a data breach of its Medicaid claims data of over 24,000 individuals.  The breach was reported to UDOH by the Utah Technology Services Department on Monday, April 2nd, and while the initial hacking is suspected to have occurred on Friday, March 30th, UDOH stated that information began to be removed from the server on Sunday, April 1 (perhaps merely coinciding with April Fools' Day...). 

Currently, UDOH suspects the hackers originated from Eastern Europe, and according to Reuters, has been able to pinpoint it to within certain countries.  The Department of Technology Services had recently moved the claims data to a new server, and, despite a multi-layered security system, the hackers were able to circumvent and access potentially client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes for billing.

UDOH is still investigating the scope of the breach, and has yet to determine exactly what types of information were compromised as well as the identities of all of the affected Medicaid clients.  So far, UDOH believes only one server was hacked.  The affected server was shut down, and new security measures implemented, according to Reuters and UDOH. 

UDOH is currently advising all Medicaid clients to monitor their credit and bank accounts until those affected can be fully identified and notified.  According to KSL.com, Technology Services Executive Director Steve Fletcher said the server had "weaker controls" than the original server it was exchanged for.  However, Fletcher stated that the agency will investigate further to assess how the hackers were able to circumvent the security system and do whatever may be necessary to prevent future breaches.

"These hackers are very, very sophisticated and that's one of the things that we want to document so that we can to put more controls in place to make sure that it will not happen again," stated Fletcher.

For more information, check out the UDOH official statement and the Reuters and KSL.com articles.    

Hospital Theft Leads to HIPAA Criminal Charges

An Alabama woman has been slapped with criminal charges in connection with the theft of patient information from Trinity Medical Center in Birmingham, Alabama, as reported by The Birmingham News.  Section 1320d-6 imposes criminal penalties where any person knowingly uses a unique health identifier or obtains or discloses individually identifiable health information in violation of HIPAA. 

The young woman, identified as Chelsea Catherine Stewart, allegedly stole paper surgery schedules from a closed patient registration area at the hospital while visiting a patient.  Stewart was arrested the beginning of June after hundreds of pages of the schedules were found in the house where she was staying by police in connection with an ongoing investigation for mail theft and credit card fraud.   

The schedules contained the names, dates of birth, social security numbers and certain medical information of approximately 4,500 patients of the hospital.  In addition to the patient information, an affidavit by postal inspector John Bailey stated there were handwritten notes with information of other individuals which could be used for identity theft and a "to-do" list of sorts for fraud.  Notes allegedly read, "Get hospital records together and run credit reports on people to get info."  

The notice of the theft on Trinity Medical Center's website states,

"All stolen information has been recovered....The hospital has no reason to believe this information has been or will be used in a way that would cause harm." 

However, Trinity Medical Center will be offering free credit monitoring for those affected patients.  In addition to the notice on its website, the hospital also notified affected individuals of the theft by mail.

If convicted, Stewart could face the maximum criminal penalties under §1320d-6 for "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" and up to 10 years in jail and $250,000 in penalties.  Stewart also faces unrelated charges of credit card fraud and breaking into a vehicle.  

Class Action Sought for Charleston Area Medical Center Breach

Patients affected by a West Virginia hospital breach that went undetected for several months are seeking certification as a class action as reported by Health Data Management.  Five of the approximately 3,655 affected patients have filed suit against the Charleston Area Medical Center in circuit court seeking damages based on four counts:

  • breach of confidentiality
  • negligence
  • invasion of privacy by intrusion on seclusion
  • invasion of privacy by unreasonable publicity of private life

The lawsuit, Tabata v. Charleston Area Medical Center, stems from the availability of a database containing patient names, social security numbers, medical information and demographic information on the Internet.  A family member of a patient had found the information while searching the web.

Although the database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, the fact that it had inadvertently been made publically available went unnoticed until February 2011.  However, the hospital acted quickly upon being made aware of the breach and promptly notified all potentially affected patients within 8 days.

The hospital had originally offered to pay for one year of credit monitoring as well as an immediate credit freeze at the three credit bureaus for all affected patients.  Free credit reports were also made available to affected patients through the West Virginia Attorney General's Office.  In addition, after discussion with the Attorney General's Office, the hospital hired a risk management group to conduct a security assessment and undertook a number of other measures to protect against further breaches.

The patients seek as part of the damages for the hospital to extend additional credit and identify protection and monitoring services.  They also ask the court to require that the hospital establish a specific security program as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.

Although it is unclear yet what repercussions the hospital may face from the Department of Health and Human Services for the breach, the breach and accompanying lawsuit highlight the importance of monitoring business associates who have access to PHI and the resulting work product.  In addition, frequent and periodic security assessments are crucial to identifying issues before an incident or breach occurs.  A robust and proactive security assessment coupled with a strong information security program will go a long way towards effectively safeguarding patient electronic PHI as well as cutting costs associated with incident-response. 

Security Breach Response: Lessons Learned from the Epsilon Breach

Does the notice below look familiar?

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers.  We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information.

If it does, congratulations on being one of the unlucky millions affected by the data breach which occurred at Epsilon last week.  The largest distributor of "permission-based" email marketing, Epsilon serves some 2,500+ clients from JPMorgan and Chase to Target and Walgreens, sending over 40 billion emails on their behalf each year. 

At some point on Wednesday, March 30, Epsilon's systems were hacked, resulting in millions of email addresses and names being stolen, presumably in order for hackers to send mass spam and convincing "phishing" emails to consumers.  The first I became aware of the breach was Monday, April 4, when I received the above notice from Chase, followed quickly by Target, 1-800-Flowers and a variety of other smaller companies over the next two days. 

As I received the latest emails this morning (World Financial Network National Bank, or WFNNB, and Citibank), I couldn't help but be impressed with how quickly Epsilon was able to detect the data breach, notify law enforcement, and notify its clients affected by the breach, reportedly about 50 companies.  The turnaround time within which many of the affected clients notified their consumers was equally impressive, especially given that these companies likely only received notice from Epsilon right before or over the weekend.

I automatically wondered: would such a response have been equally efficient and effective if the data breach had occurred within the HIT systems of a business associate of a hospital or within the hospital itself?  Maybe yes and maybe no. 

HITECH places stringent security breach notification requirements and timeframes on covered entities and business associates who experience breaches of PHI.  In addition, state laws such as the New Jersey's Identity Theft Prevention Act, also place breach notification requirements on these and other entities with regard to certain personal information.   

Covered entities, as we are all too aware, are certainly not immune from the risk of security breaches.  Many covered entities may not have detailed policies and procedures for detecting and responding to breaches of PHI.  For those that do, are these procedures effectively communicated to key management and employees so that they know how to appropriately react from the first sign of a breach through the sending of required notices?  In addition, how soon and by what mechanisms are business associates required to report breaches, or even suspected breaches, of PHI to the covered entity?

Although only emails and names were hacked, the Epsilon breach stresses how important it is for covered entities to assess their security breach notification policies and procedures and ensure key personnel know the steps for detecting, assessing and mitigating breaches of PHI and their respective roles and responsibilities BEFORE these individuals are placed in such a situation.

A mere five calendar days (including the weekend) is quite impressive for a breach response involving so many different companies.  Although perhaps five days might be improbable or even impossible for a covered entity under the circumstances of a given breach, immediate and efficient action and communication are still crucial to an effective breach response.

Think you are Exempt from the Red Flags Rule? ... Don't Take Your Red Flags Down So Fast.

Prepared by Krystyna Nowik, Esq.

Health care providers and the Identity Theft Red Flags and Address Discrepancies Final Rule (“Red Flags Rule”) have had a drawn-out and bumpy history together. Considerable uncertainty with regard to what entities were or should be considered creditors within the meaning of the Red Flags Rule resulted in multiple delays in the effective date and several legal challenges to the Red Flags Rule (e.g., the American Bar Association (ABA) and its applicability to attorneys and the American Medical Association (AMA) and its applicability to physicians).

On December 18, 2010, the Red Flag Program Clarification Act was passed for the sole purpose of narrowing the definition of creditor and providing some clarification as to what entities would be subject to the Red Flags Rule. The Red Flag Program Clarification Act does not explicitly exclude physicians, hospitals or other types of professionals or entities who had challenged the Red Flags Rule applicability. However, it revises the definition of creditor to mean:

(1) a creditor as defined by section 702 of the ECOA (e.g., any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit) that regularly and in the ordinary course of business:

a. obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

b. furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; OR

c. advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;

(2) that does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; AND

(3) includes any other type of creditor…as the agency…may determine appropriate…based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.

Under this new definition, attorneys and other entities will not be considered a creditor for purposes of the Red Flags Rule. Additionally, many physicians and hospitals may not be subject to the Red Flags Rule. However, the exemption does NOT necessarily let all health care providers off the hook.

Entities will still need to look at whether they "regularly and in the ordinary course of business" obtain or use consumer reports or furnish information to consumer reporting agencies as well as whether they are advancing funds that will need to be repaid by the person. This potentially means that hospitals or physician groups that routinely submit information on non-paying patients to collection agencies which in turn submit such information to a credit reporting agency WILL be subject to the Red Flag Rules.

In addition, further guidance is likely to be issued by the FTC regarding the applicability of the new creditor definition and other types of creditors with regard to “reasonably foreseeable risk”. Additionally, no guidance is provided by the Red Flag Program Clarification Act as to what “regularly and in the ordinary course of business” means. However, although the American Hospital Association believes hospitals are clearly exempt from the Red Flags Rule by the new definition, hospitals who engage in billing and collection practices should be prepared to comply as of January 1, 2011 in the event such activities would qualify the hospital as a “creditor” or in the event the FTC through rulemaking expressly covers hospitals under the “reasonably foreseeable risk” of identity theft provision.

In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent potential harm to the victim.  When dealing with medical identity theft, the stakes can be much more than just financial loss -- it can potentially cost a person their health, or life.  Where multiple providers are connected through and HIO and engaging in HIE, the risks and harm resulting from identity theft may be multiplied.  Therefore, irrespective of whether a provider is or is not directly subject to the FTC assessing penalties for noncompliance, implementing a Identity Theft Prevention Program is a good idea from the standpoint of risk management, and patient care.

For a great video on Medical Identity Theft, watch this news report from CBS3.  For more information about the Red Flags Rule, click "Continue Reading" below.

Continue Reading