Boston Children's Fined for BreachWhy Experts Expect More Post-Breach Sanctions in 2015
The Massachusetts attorney general has fined Boston Children's Hospital $40,000 for a 2012 breach involving a stolen unencrypted laptop. The settlement, which includes a detailed corrective action plan, is the second such breach-related enforcement action against a hospital that Attorney General Martha Coakley has announced within the last month.
This latest settlement stems from a civil lawsuit Coakley filed under the Massachusetts Consumer Protection Act and the federal HIPAA law. Some security experts predict that the attorney general's actions, as well as three HIPAA settlements at the federal level this year, are a preview of ramped up privacy and security enforcement activity to come in 2015.
"The steady stream of 2014 announcements surrounding HIPAA enforcement settlements foreshadows a deluge as the [Department of Health and Human Services] proactive audits and state enforcement programs become fully operational," says Brian Evans, senior management consultant at IBM Security Services. HHS' Office for Civil Rights expects to resume random HIPAA compliance audits in 2014 (see: HIPAA Compliance: What's Next?).
The settlement with Children's is related to a breach that resulted when a hospital-issued unencrypted laptop was stolen from a physician while he was at a May 2012 conference in Buenos Aires. Before the laptop was stolen, the physician received an e-mail from a colleague containing the protected health information of 2,159 patients, including names, dates of birth, diagnoses, procedures, and dates of surgery. More than 1,700 patients were younger than age of 18, according to a statement from the attorney general.
"The physician took steps that he thought were adequate to remove the protected health information from the laptop. However, the information from the e-mail remained on the laptop and despite [the hospital's] written policies, encryption software was not installed prior to the incident," Coakley's statement says.
"Healthcare providers must ensure that the privacy and security of sensitive patient information is protected," the statement notes. The settlement "will put in place and enforce important technological and physical security measures at Boston Children's Hospital to help prevent a breach like this from happening again."
Corrective ActionsUnder the terms of a consent judgment, the $40,000 sanction includes a $30,000 civil penalty and a payment of $10,000 to a fund administered by the attorney general's office for education programs concerning the protection of patient information.
In addition to the monetary fine, the settlement with Boston Children's Hospital also requires the medical center taking a number of actions to improve its data security. Those measures, which court documents indicate are already being taken by Children's, include:
- Conducting a review of compliance with federal and state standards relating to the hospital's handling and disclosure of protected health information by means of portable devices;
- Implementing of a program to encrypt all laptops accessing its network;
- Reviewing and revising existing policies and procedures relating to portable devices to incorporate recommended improvements;
- Communicating with its workforce regarding encryption and data protection of portable devices;
- Revising existing training materials, and creating additional materials, on how to ensure the privacy and security of electronic PHI contained on portable devices.
"Boston Children's Hospital makes it a top priority to protect all patient and staff information with sophisticated security tools," a hospital spokeswoman tells Information Security Media Group. Since the 2012 incident that triggered the state's case against the hospital, Boston Children's has implemented a mandatory encryption policy for every computing device used to access hospital systems, whether the device is personally owned or hospital-issued, the spokeswoman says. "Every device that is issued by Boston Children's is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted. "
Meanwhile, in a statement to ISMG, a Massachusetts attorney general spokeswoman says, "Our office is committed to helping educate physicians, staff, and hospital leadership about their legal obligations to protect [patient] data. As hospitals increase their use of data to improve efficiencies and delivery of care, we must ensure that data always remains secure."
Other Massachusetts Cases
The Massachusetts attorney general's case against Children's followed a similar settlement announced in late November with Beth Israel Deaconess Medical Center in Boston. In that case, Coakley fined Beth Israel Deaconess $100,000 as a result of a 2012 breach also involving a stolen unencrypted laptop. Like the Children's settlement, the agreement with Beth Israel Deaconess also requires the medical center to perform a review and audit of security measures, and take corrective measures recommended in the review.
And back in July, the attorney general announced a $150,000 settlement with Women and Infants Hospital of Rhode Island in a 2012 breach involving lost back-up tapes that affected 14,000 patients.
Ramped Up Scrutiny?
Some privacy and security experts say recent enforcement activities by regulators indicate that healthcare entities and their business associates should prepare for intensified HIPAA scrutiny in the upcoming year.
"I predict that HIPAA enforcement will cause more healthcare organizations to experience investigations and fines [in 2015] than in any previous year," Evans says. "Looking back, 2014 will be known as the year when healthcare organizations took notice and realized the impact of being complacent regarding HIPAA Security compliance because it was a pivotal year for enforcement."
Earlier this month, as part of a HIPAA settlement, OCR slapped a $150,000 sanction on Anchorage Community Mental Health Services for failure to apply software patches. The failure to apply the patches contributed to a 2012 malware-related breach affecting more than 2,700 individuals, says OCR.
In addition to that settlement, in OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.
OCR also reached an $800,000 settlement with Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio, stemming from an incident in June 2009 involving the dumping of paper medical records of 5,000 to 8,000 patients.
The recent Anchorage resolution agreement "could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules," says David Holtzman, vice president of compliance at the consulting firm CynergisTek.
Some observers also predict that other state attorneys general could ramp up their civil suits tied to health data breaches, following Massachsuetts' lead.
"In 2009, the HITECH Act provided state attorneys general with authority to bring civil actions under HIPAA, and Massachusetts has now brought five out of the eight attorneys general actions that have followed," says privacy attorney Adam Greene of law firm Davis Wright Tremaine. The other AGs that have brought such state action are in Connecticut, Vermont, and Minnesota.
For 2015, Greene also says he expects to see OCR hit more organizations with penalties as part of HIPAA settlements after breaches. "There have been statements suggesting that OCR has a number of record-setting settlements in its pipeline, but we haven't seen those published yet. OCR likely will continue to resolve the vast majority of investigations through voluntary corrective action and closure, but we may see another five to 10 headline-grabbing settlements, possibly with record amounts."