Protecting the Most Sensitive Patient DataRecent Breaches Show Better Effort Needed
Two recent breaches that exposed information about mental health patients point to the need for providers to take extra precautions to protect the most sensitive health information.
One of the breaches stemmed from an all-too-common cause - a stolen unencrypted laptop computer. The other involved a hacker attack, just the latest of many such attacks to have grabbed headlines this year.
"We expect you to address encrypting data at rest and in transmission - and if you don't, you must implement an alternative option in its place."
The latest breach to be revealed occurred at Woodhull Medical and Mental Health Center in Brooklyn, part of the New York City Health and Hospitals Corp., which serves as a "public safety net" healthcare system.
In an Oct. 15 letter mailed to nearly 1,600 affected patients, Woodhull says a Woodhull physician discovered in August that a laptop that was secured by a lock to an electromyography, or EMG, machine, was missing from a patient examination room.
"The PHI contained on the stolen device included patients' medical record number, test results and narrative physician summary," the Woodhull letter says.
The healthcare provider says the New York City police are investigating the incident. "It is likely that the purpose of the theft was to steal the laptop and not your health information, and there is no evidence that the health information contained on the laptop, whether pertaining to you or other patients, has been misused in any manner," Woodhull says in its notification letter. Woodhull says it's making available free identity theft protection services to those affected.
In its letter, the organization says it's taking a number of steps to bolster security, including "undertaking a review of the physical security precautions currently in place to identify those areas in which security measures require supplementation." It's also "reviewing additional security precautions that can be implemented for biomedical devices - like the EMG machine laptop - and going forward will be encrypting new computer equipment." In addition, Woodhull is reviewing its security awareness training "so as to emphasize to workforce members the importance of security awareness."
While it's good to learn that Woodhull will be encrypting new computer gear "moving forward," the privacy risk to patients' sensitive data could've been mitigated in this case had the stolen laptop been encrypted.
The revelation of the incident at Woodhull comes on the heels of an announcement that Emergence Health Network, an El Paso, Texas-based center that provides services to mental health and intellectually disabled patients, had discovered in August that it was a victim of a hacker attack that started as far back as 2012.
Information on 11,200 patients stored on a server was exposed. That included patients' first and last names, addresses, dates of birth, Social Security numbers, case numbers and information indicating that the individual accessed services from EHN or Life Management Center El Paso, the entity's previous name.
A third-party analysis of the incident determined that data was not copied or exfiltrated, an EHN spokeswoman told me. Also, the analysis determined that the organization was likely not the target of the hackers, but rather a "gateway" to another unidentified target, she adds.
No one knows for certain what's happened to the laptop stolen from Woodhull, nor, for that matter, what motivated the hackers to hit Emergence Health Network's server.
So, the affected patients have good reason to feel worried, even if their healthcare providers say it's unlikely that their data is at risk. Maybe the affected individuals won't become victims of identity theft or fraud. But it's certainly worrisome that information confirming these patients were treated for mental health issues was exposed by the breaches.
Government regulators have already shown they can be particularly empathetic with the plight of patients' whose most sensitive health data is breached. For example, the U.S. Department of Health and Human Services' Office for Civil Rights in July 2011 hit Massachusetts General Hospital in Boston with a $1 million settlement in a breach case involving the loss of paper files on 192 patients, which included information on those with HIV/AIDS.
OCR officials have also recently made it clear that the agency expects mobile devices containing PHI to be encrypted, even though encryption is not explicitly required under the HIPAA Security Rule.
Anything that can "walk" away - including laptop computers, storage devices, desktop PCs as well as servers that aren't nailed to the floor - should be encrypted, OCR officials said during a recent HIPAA conference (see HIPAA Enforcer Losing Patience on Encryption).
"We expect you to address encrypting data at rest and in transmission - and if you don't, you must implement an alternative option in its place," as well as document the reasoning, Deven McGraw, OCR deputy director of information privacy, said at the conference.
So, if your healthcare organization experiences a breach of unencrypted patient information, don't be surprised if you find yourself explaining to a regulator why that data wasn't properly safeguarded. And also be prepared to take out your checkbook.