Breach Involving Encrypted Devices Raises QuestionsMed Health Center in Kentucky Reports Insider Incident
Under the HIPAA Breach Notification Rule, the theft or loss of encrypted computing or storage devices is not considered a reportable data breach. But a recent incident at a Kentucky-based healthcare organization demonstrates that making a determination on whether an incident is a reportable breach isn't always clear-cut.
On March 21, Bowling Green, Kentucky-based Med Center Health, which includes several hospitals, issued a public notification saying that on Jan. 4, 2017, "during the course of an internal investigation, we determined that [a] former Med Center Health employee had, on two past occasions during their employment, obtained certain billing information by creating the appearance that they needed the information to carry out their job duties for Med Center Health."
Med Center Health says that its investigation indicates that in August 2014 and February 2015, the employee allegedly obtained patient information on an encrypted CD and encrypted USB drive, "without any work-related reason to do so."
The billing information involved in the incident included patients' names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes and charges for medical services, the healthcare provider says. "Patients' medical records were not included in the information inappropriately obtained. Clinical medical records were not accessed and remain fully intact. Medical history and treatment have not and will not be affected by this incident."
Evidence about the incident that Med Center Health has gathered suggests that the former employee "intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials," the notification statement says.
The matter, which was reported to law enforcement, "is under investigation by the FBI and other federal agencies," a Med Center Health spokeswoman tells Information Security Media Group.
Citing the investigation, she declined to disclose details of the incident, including specifics regarding the job that the former employee held at the organization, and whether the individual would have had access to a decryption key or other means of accessing the encrypted data - or whether the data was accessed by the individual before it was encrypted on the storage devices.
Breach Victim Tally
Commonwealth Health Corp., the parent company of Med Center Health, on March 1 reported to the U.S. Department of Health and Human Services that the breach affected 697,800 individuals and involving an unspecified "theft."
That figure represents the number of patient encounters reflected in the data incident, says Ramona Hieneman, Commonwealth's chief privacy officer, in response to an ISMG inquiry about the breach report appearing on the HHS Office for Civil Rights' "wall of shame" website listing breaches affecting 500 or more individuals.
The Med Center Health spokeswoman tells ISMG that the organization is sending out notifications to about 160,000 patients who have been impacted. "In addition, information for those patients' insurance subscribers and guarantors may also have been contained in the records," she notes.
Whether the incident affected 697,800 individuals - as listed on the wall of shame - or only 160,000 individuals, as the Med Center Health spokeswoman states, the breach as of March 23 still ranks as the largest incident added to the HHS tally so far in 2017.
Encryption Safe Harbor
It's somewhat unclear why Med Center Health reported the incident as a breach, since, under HIPAA, the theft of loss of encrypted devices is not considered a reportable breach.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the description Med Center Health has provided so far about the incident is unclear.
"If the data was encrypted and the person couldn't access it, then I don't know how that person could do any of the things that the person [allegedly] seemed to be doing," he says. "So I have to assume that the person had some way to get through the encryption. If that is the case, then it isn't really encrypted data and [breach] notice would be appropriate - or at least you don't get the benefit of the safe harbor."
Similarly, in a theoretical incident involving an encrypted laptop computer, "if the laptop is open and working when it is stolen, then the encryption isn't activated and wouldn't be sufficient" for avoiding the need to report a breach, Nahra notes.
"All - or most - [breach notification] laws would work that way - if the data is potentially encrypted but not actually in context, it isn't considered encrypted," he says. "Companies always need to think about whether the data really was encrypted, in context."
Under Kentucky law, notification is required for computer security breaches involving "unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information" and could cause identity theft or fraud.
But some states, including California and Illinois, have recently tweaked their encryption safe harbors for breach notification. For instance, both states now require notification if de-encryption keys were acquired by unauthorized persons in the security incidents. Plus, California also requires notification if security credentials were stolen along with the encrypted data.
HIPAA guidance from the HHS' Office for Civil Rights notes that in order for incidents to fall under the encryption safe harbor for breach notification, "electronic PHI must have been encrypted as specified in the HIPAA Security Rule by 'the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key' ... and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt."
More Insider Incidents
The Med Center Health breach is just the latest of several recent security incidents involving insiders at healthcare organizations.
For instance, on March 16, St. Charles Health System in Bend, Oregon, began notifying nearly 2,500 patients that a caregiver - over a period of about 27 months - was found to have accessed individuals' electronic medical records without authorization (see Why Insider Breach Prevention Needs to Stay Top-of-Mind).
Also, last week, an Alabama federal judge granted class-action status to a lawsuit filed against Flowers Hospital, where a former lab technician was sentenced to a two-year prison sentence in 2014 for identity theft that led to federal tax refund fraud.