Updated: breaches and fines on the rise
The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010. Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year. We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:
- On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.” Information lost included not only PHI, but also Social Security numbers and even credit card data. The records on the laptop were password protected, but they were not encrypted. The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge. The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information.
- Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees. On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009. Violations were significant, but, considering the fine, far from gruesome.
Please click here to read more.
In the first instance,
an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.
In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.
This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local. California has a particularly strict medical privacy law, enacted in 2008. Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California. It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.
"Missing records on stolen laptop from Cincinnati Children's Hospital," Cincinnati.com (May 28, 2010).
"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).
"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).
