HIPAA Horror Stories
These preventable HIPAA horror stories happened when a covered entity or a business associate was hit with either malware, external hackers or click happy insiders. No matter how it happened, confidentiality was breached, integrity was failed, and/or availability was compromised. The result is the same in all cases. A large expenditure of resources and man-hours to recover data, clean up systems, restore functionality, and lots of explaining and reporting to the FBI. Plus the patients who were affected are shaken and scared, plus the associate or entity has to buy expensive identity protection services for everyone involved. See our page on HIPAA to get started protecting your business.
BioReference Laboratories, New York, New Jersey, and North Carolina
New Jersey-based laboratory and clinical testing company BioReference Laboratories is the latest confirmed victim, with approximately 422,600 of its customers having had their personal information exposed in the AMCA data breach.
BioReference Laboratories joins Quest Diagnostics/Optum360 (11.9 million records) and LabCorp (7.7 million records), with the total number of compromised records now standing at 20,022,600 records. That number may well continue to grow as the investigation progresses and more healthcare entities are notified that their data has also been compromised.
BioReference Laboratories confirmed the breach in an 8-K Security and Exchange Commission (SEC) filing on Monday. The OPKO Health subsidiary was notified it has been impacted by the breach on June 3, 2019.
The breach at AMCA occurred between August 1, 2018 and March 30, 2019, during which time hackers had access to the AMCA web payment page, which included data of several healthcare clients.
Patients who had received BioReference Laboratories testing services had the following information compromised: Name, address, phone number, date of birth, date of service, email address, provider information, balance information, and bank account information. No Social Security numbers, medical information, test results, or passwords/security questions and answers were exposed. Source
Pasquotank-Camden Emergency Medical Services, North Carolina
on December 14, 2018, an unknown foriegn hacker accessed the county’s billing software thru a vulnerability and erased the records of 40000 patients. The software vendor, TriTech, located the vulnerability and patched the software after the fact. This incident was the second one for the county, following another in May of 2018. Unfortunately, the county now has to provide identity monitoring services to 40000 patients at its own expense.
Arkansas Oral and Facial Surgury Center
On July 26, 2017, the Arkansas Oral & Facial Surgery Center says it discovered on July 26 that its computer network had been hit by ransomware. “We promptly began an investigation which revealed that the ransomware had been installed on our systems by an unauthorized individual at some point earlier that morning or the evening before,” the notice states. The center says the apparent motivation behind this incident was “extortion, and not the theft of patient information.” The FBI was notified of the incident, the healthcare provider adds. Except for “a relatively limited set of patients,” the center says its patient information database was not affected by the ransomware. Imaging files, such as X-rays, and related documents were targeted.
Confidentiality is the thing most people think when they discuss HIPAA requirements. There is much more to it than that, though. It also covers data integrity and availability. All data must be evaluated to determine it’s value. Answer these three questions about all of your data to set a value for it:
What would happen if this got into the wrong hands? (Confidentiality)
What would happen if I couldn’t trust the data to be accurate? (Integrity)
What would happen if I could never access this data ever again? (Availability)
Advanced Spine & Pain Center (ASPC), San Antonio, TX
On July 31, 2017, ASPC learns from some of its patients that they have been contacted by an unknown person and asked to pay an outstanding balance. ASPC then discovered that its server was accessed by one or more unauthorized users, and demographic information including names, addresses, Social Security Numbers, date of birth, state, zip code, telephone, and gender; medical information to include medical records, labs, x-rays, and scheduling notes; and billing information to include primary insurance, CPT codes, phone, ID number, and Group number were downloaded and transmitted outside the facility to unauthorized persons. The unknown hacker then shared the information with scammers who proceeded to call the patients in the list and ask them for payment by credit card over the phone. As a result, ASPC contacted the FBI and filed a report, then proceeded to spruce up security in their network. In the end, ASPC had to pay for credit monitoring and identity protection services for all their patients. They never discovered who transmitted the data.
Stanford University Hospital, Stanford, CA
In October 2011, the names and diagnosis codes of approximately 20,000 patients of Stanford University hospitals were found posted on “Student of Fortune,” a website that offers students help with homework. Stanford’s investigation revealed that a consultant, who had received the data as part of an engagement, had given it to an applicant as part of a practical job interview process. When the applicant turned to Student of Fortune for help in completing the assignment, s/he uploaded the patient information to their website. At the conclusion of the Department of Health and Human Services (DHHS) Office of Civil Rights’ (OCR’s) investigation, the contractor might be subject to fines of as much as $1,500,000. A number of patients have already filed suit against Stanford Hospital, seeking a collective settlement of $20,000,000, under California’s medical record privacy law. In addition, Stanford’s “Business Associate” might be liable for damages if any of the patients prevail in civil suits.
M.D. Anderson Cancer Center
In June 2012, an unencrypted laptop computer containing Protected Health Information belonging to 30,000 patients was stolen from the home of a physician-researcher at M.D. Anderson Cancer Center. The data included medical record numbers, patient names, social security numbers, and clinical information. It included records going back more than ten years. No announcement has yet been made regarding fines or other penalties. However, depending on the results of the investigation of the primary HIPAA enforcement agency, the DHHS OCR, and the timing and circumstances of the data collection, fines might range from $300,000 to $4,000,000; not including damages from civil suits, if any, if patients were harmed as a result of the incident.
In June 2012, a PowerPoint presentation containing Protected Health Information was discovered to have been posted, for more than five years, on the Internet. The presentation, which was intended for use by members of two professional medical organizations, was created by Memorial Sloan-Kettering staff. The presentations could be located through searches of patients’ names. However, the patient information was obscured by graphs and other illustrations, and was therefore visible only if the images were manipulated; e.g., by downloading and enlarging them. No penalties have yet been announced. However, OCR might impose fines of $100 to $50,000 for each record posted. Additional penalties, including civil damages, might also apply.
St. Louis Plastic Surgery Practice
In August 2012, a St. Louis plastic surgeon posted before-and-after photographs of thirty women who had undergone breast augmentation, on her website. Though their faces were obscured, the patients sued for negligence when they discovered that the pictures included identifying information, and that the site could be located simply by searching for the patients’ names. Ten of the patients have filed suit for invasion of privacy, seeking unspecified damages. OCR’s investigation is still pending.
We welcome your comments below. Please share your own HIPAA horror stories.