Notifying patients about a healthcare information breach requires a "difficult balancing act" by entities to ensure that risks are not exaggerated, says attorney Robert Belfort, an expert in HIPAA compliance, fraud and abuse.
As legal issues surrounding data breaches become increasingly complex, more organizations are turning to attorneys for post-breach response, says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams.
Healthcare organizations should carefully document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs, says Dawn Morgenstern, privacy official at the Walgreens national drugstore chain.
A key to developing a successful data breach prevention, detection and notification program is to gain buy-in from senior management and board members, says Bob Krenek of ExperianÂ® Data Breach Resolution.
The ongoing delay in the release of final versions of HIPAA modifications and the HIPAA breach notification rule makes it more difficult for healthcare organizations to set information security investment priorities, says hospital privacy officer Kari Myrold.
Virtual Radiologic Professionals, LLC notified individuals about a stolen laptop taken from an employee's car. By corporate policy, the laptop's hard drive was supposed to be encrypted, but something went wrong.
Sutter Health, an integrated delivery system that was in the process of encrypting all its desktop computers, reports that a device that had not yet been encrypted was recently stolen, affecting more than 4.2 million patients.
Servers at Virginia Commonwealth University were recently hacked, potentially exposing Social Security numbers for more than 176,000 faculty, staff, students and affiliates at the university and the VCU Health System.
Just four months after agreeing to pay an $865,000 penalty for a series of HIPAA violations, UCLA Health System has revealed a breach incident involving the theft of an external hard drive from a former employee's home.
A health and financial information breach that may have affected as many as 10,000 patients at a Kansas hospital illustrates yet again that the actions of a business associate's subcontractor can have a major potential impact on patient privacy.
One reason why so many healthcare organizations are not well-prepared to counter security threats is that "key leadership has not bought into the whole process," says Bob Krenek of ExperianÂ® Data Breach Resolution.
Penetration tests that demonstrate how an unauthorized user could gain access to patient information can be effective in winning support for a bigger information security budget, says David Kennedy of Diebold, Incorporated.
TRICARE, the military health program, has directed its business associate, Science Applications International Corp., to offer one year's worth of free credit monitoring and restoration services to the 4.9 million affected by a recent breach.