Major data breach at Stanford Hospital

Posted on September 12, 2011 by Steve Fox and Vadim Schick

A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."

This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

The Times correctly pointed out that contract language alone is not enough, and that significant due diligence by each provider is required. Certainly, employee training for both the hospital and the business associate-type contractors is absolutely essential. Relating the seriousness and gravity of health information privacy breaches should be a key element of such training. However, having a clear termination right and a strong contractual obligation to indemnify the provider in the event a vendor causes a major breach like the one at Stanford Hospital, is a good start.

We frequently see vendor agreements either without such an indemnification clause or with severe caps on vendor's liability. The latter is often limited to one year's worth of fees, or, in a better scenario, all fees paid by provider to vendor under the agreement. However, in case of a major breach caused by a vendor, such caps would not allow a provider to recover its costs and damages in dealing with the breach. Therefore, carve-outs to vendor's limitation of liability in connection with vendor's own breaches of PHI or other confidential information are crucial.

Stanford Hospital may be exposed to significant fines under both federal and state privacy laws. In fact, another Stanford hospital (Packard Children's) was slapped with a $250,000 fine under California law for failing to report a breach within 5 days. However, such regulatory expenses are just the tip of the iceberg:  Stanford Hospital will have to spend a lot more on investigations, legal expenses, staff time, and, possibly, credit monitoring for the affected individuals. 

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"Patient Data Posted Online in Major Breach of Privacy," The New York Times (September 8, 2011).

"Stanford Hospital Suffers Comically Stupid Patient Data Leak," Gawker.com (September 8, 2011).
Tags: , , , , , , , , , ,

California agency to investigate HealthNet

Posted on March 16, 2011 by Steve Fox and Vadim Schick

As we predicted yesterday, HealthNet's breach of personal information of almost 2 million people, is already the subject of a state government agency's investigation.  Via Health Leaders Media:

After Health Net, Inc. in California announced Monday that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves 'personal information for 1.9 million current and past enrollees nationwide.'

The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan's statement, saying that the missing records on nine servers are 'for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.'

'The DMHC has opened an investigation into Health Net's security practices," said DMHC spokesperson Lynne Randolph. "Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.'

This may not be the last government investigation for the embattled insurer. For more information on the breach, please click here.

 

Tags: , , , , , , ,

California fines hospital $250,000 for failing to comply with state breach statute

Posted on September 10, 2010 by Steve Fox and Vadim Schick

As we mentioned previously, California has the strictest data breach notification statute in the country, allowing entities only five days to report a breach, but not permitting even the customary delays  for law enforcement efforts. California Department of Public Health (CDPH) is charged with enforcement of this statute, contained in Section 1280.15 of the California Code, and may impose the maximum of $250,000 fine for each breach incident.

CDPH imposed the maximum $250,000 fine on Lucile Salter Packard Children's Hospital (LSPCH) at Stanford University for failing to report within five days a breach involving 532 patients.  The breach resulted from an employee of LSPCH stealing a laptop containing PHI for these 532 patients.

The somewhat shocking part is that CDPH levied the maximum fine on this hospital, even though the hospital reported this breach after an investigation less than two weeks later.  LSPCH discovered the breach on February 1, 2010, but did not report the breach until February 19, 2010.  In fact, CDPH learned of the breach from the hospital's notice. While a clear violation of the five-day rule (however just or draconian the rule may be), it does not seem to be an egregious violation which would merit the maximum fine. LSPCH believes that its notification to the state and to the affected individuals was reasonable and timely and is appealing the fine.

Packard Children's believes it did what it is supposed to:

The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.

As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.

Theft charges have been filed against the former employee.

Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.”

"This theft was very unfortunate," said Susan Flanagan, RN, chief operating officer. "We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children's privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”

This response seems proper and reasonable.  What more could a hospital do? In California, report the breach within the required five days. But even if the hospital missed the deadline, imposing the maximum fine for the reasonable response outlined above seems too harsh.

Finally, it is worth pointing out that California is clearly determined to enforce these laws. According to Health Leaders Media, CDPH levied over $1.8 million in fines against 143 hospitals under the breach notification statute and the similar requirement for reporting wrong-site surgery or foreign objects left inside a patient.

"Hospital Fined $250,000 For Not Reporting Data Breach," Health Leaders Media (September 10, 2010).
Tags: , , , , , , , , ,

Updated: breaches and fines on the rise

Posted on June 16, 2010 by Steve Fox and Vadim Schick

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010.  Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year.  We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

  • On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.”  Information lost included not only PHI, but also Social Security numbers and even credit card data.  The records on the laptop were password protected, but they were not encrypted.  The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge.  The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information. 
  • Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees.  On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009.  Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

"Missing records on stolen laptop from Cincinnati Children's Hospital," Cincinnati.com (May 28, 2010).

"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).

"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).
Tags: , , , , , , , , , , , , ,

California fines Kaiser hospital $250,000 for violations of patient privacy

Posted on May 15, 2009 by Steve Fox and Vadim Schick

As we mentioned earlier, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom."

On May 14, 2009, California authorities fined Bellflower Hospital, the Kaiser facility where Ms. Suleman was treated, $250,000, the maximum allowed under California's new patient privacy law. The law allows the California Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000.

While the spokesperson for Kaiser argued that the healthcare provider "took numerous steps to prevent" violations of Ms. Suleman's privacy, state officials maintain that such steps were insufficient:

The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.

"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshé, secretary of California's Health and Human Services.

Governor Schwarznegger supported this development:  "The fine issued today should be a reminder that there are consequences for violations of medical privacy."

"Kaiser hospital fined $250,000 for privacy breach in octuplet case", Los Angeles Times (May 15, 2009).
 

Tags: , , , ,