Breach Report: Sometimes, Encryption Is Still OverlookedStolen Laptop Contained Patient Data on Thousands
In the first years following implementation of the HIPAA Breach Notification Rule in 2009, incidents involving lost or stolen unencrypted devices dominated the health data breach tally. But in recent years, such cases have been relatively rare.
This week, however, a Medicaid coordinated care organization in Oregon reported the theft of an unencrypted laptop containing information on more than 654,000 of its members, offering a stark reminder that after all these years, encryption sometimes is still overlooked.
Portland-based Health Share of Oregon says that on Jan. 2, it learned that the laptop computer was stolen from the office of its former non-emergency medical transportation vendor, GridWorks, in a Nov. 18, 2019, break-in.
Health Share, the state's largest Medicaid coordinated care organization, says member information contained on the stolen GridWorks laptop includes member names, addresses, phone numbers, dates of birth, Social Security numbers and Medicaid ID numbers.
The organization says it has not seen any indication that the information contained on the stolen computer has been accessed or used by unauthorized individuals. It's offering those affected a year of prepaid identity monitoring services, including credit monitoring, fraud consultation and identity theft restoration.
Not-for-profit Health Share of Oregon coordinates health plans and services for Medicaid members in the Portland area and is one of 15 "coordinated care organizations" that provide local services and care coordination for Oregon Health Plan (Medicaid) members, a spokeswoman for the organization says.
As of Thursday, the breach reported by Health Share of Oregon did not appear on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals.
If HHS' Office for Civil Rights confirms the details of the incident and posts it on its website, it will be the seventh largest breach since 2009 involving a lost or stolen unencrypted computing device. It also would be the largest breach of its kind reported since 2014.
If an encrypted device containing patient data is lost or stolen, that's not considered a reportable breach under HIPAA as well as many state breach reporting rules.
The Oregon laptop theft incident shines a spotlight on the issue of vendor risk management.
GridWorks had previously served as Health Share's contracted non-emergency medical transportation vendor under Health Share's "Ride to Care" program.
In statements posted on GridWorks' website, the transportation firm indicates that it has been struggling financially for about two years and has been under court appointed receivership since Dec. 18.
"This is a discouraging breach, since it seems as though it could easily have been avoided by applying common security controls."
—Kate Borten, The Marblehead Group
"Since its launch in June of 2018, GridWorks has encountered significant financial difficulties. Those difficulties became severe in November when GridWorks learned that it did not win its [latest] bid for the Ride to Care contract" from Health Share, the GridWorks statement says.
"Under the circumstances it became clear that GridWorks could not continue in business. The company was unable to pay its debts as they became due, rendering it insolvent."
Closing the company down in a Chapter 7 bankruptcy would have disrupted vital medical transportation services to the Health Share community, the company adds. "Instead, GridWorks and Health Share worked out a receivership solution to enable a smooth transition of non-emergency medical transportation services from GridWorks to CareOregon and its partners."
CareOregon is a not-for-profit community benefits company involved in health plan services that partners with Health Share of Oregon.
In a statement provided to Information Security Media Group, GridWorks says several items, including laptops, were stolen in the break-in, which is under police investigation. "GridWorks deeply regrets any concern or inconvenience this incident may cause, and remains committed to protecting the confidentiality and security of the information it maintains. GridWorks has enhanced its security in response to this incident, including both electronic and physical improvements."
The Health Share of Oregon spokeswoman tells ISMG that Health Share earlier in 2019 decided not to renew its contract with GridWorks. "That decision happened before the [laptop] theft, so that was not part of the decision."
All Health Share of Oregon contracted entities that handle protected health information are required to encrypt and secure devices, she notes. "Regardless, the incident impacts Health Share members, and we're working quickly to ensure they have access to identity monitoring services," she adds.
Health Share performs oversight - such as audits - on a regular basis, the spokeswoman says. "We are taking steps to expand and enhance audits and oversight of our contracted entities to ensure enforcement of privacy and security requirements."
HIPAA Compliance Issues
The Oregon case highlights significant areas of apparent HIPAA noncompliance, security experts say.
"This is a discouraging breach, since it seems as though it could easily have been avoided by applying common security controls," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Mobile devices should encrypt data stored locally. Further, large data files or databases should be maintained on secure servers instead of on a personal device where it is more vulnerable to breach. The fact that GridWorks appears to lack such basic security - suggesting multiple areas of significant HIPAA noncompliance - points to why the company is in receivership and no longer has the contract with Health Share."
Privacy attorney David Holtzman of the security consultancy CynergisTek offers a similar assessment.
"Considering the frequency of lost laptops, smartphones and other devices on which personally identifiable information may be stored, encryption of these types portable or mobile devices is as close to a no-brainer solution as it gets. Accidents happen. People lose stuff. People steal stuff. And that's never going to change," he says.
"Organizations that are committed to safeguarding their data are including these vulnerabilities in their risk based approach to information security."
Healthcare organizations should perform risk assessments of their vendors' information security practices and safeguards, he stresses.
"The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination. Just as important is to require a vendor to identify and perform vendor management assessment of the subcontractors or vendors they hire to create or maintain your organization's personally identifiable data."
No Free Passes?
Holtzman adds that the receivership status of GridsWorks doesn't necessarily excuse the company from enforcement actions by regulators.
"Whatever protection ... that would apply to Gridworks [status] should not stand in the way of OCR, state attorneys generals or other federal and state regulatory bodies investigating the incident or attempting to seek enforcement remedies," he notes.
In 2018, OCR signed a $100,000 HIPAA settlement with Filefax, a medical records storage firm that had gone out of business and was under receivership. At the center of the settlement was a 2015 "dumpster diver" breach affecting more than 2,000 patients.