Lessons from Business Associate BreachVendor's Stolen Laptop Affects 68,000
The recent theft of an unencrypted laptop from a healthcare business associate offers an important breach prevention reminder: Double-check the security measures your vendor partners take to protect patient information.
The device was stolen Nov. 14 from the locked car of an employee at Omnicell, which sells automated medication dispensing systems. The laptop contained information on more than 68,000 patients treated at three healthcare organizations that are Omnicell customers: Sentara Healthcare, Hampton Roads, Va.; South Jersey Healthcare, Vineland, N.J.; and University of Michigan Health System, Ann Arbor, Mich.
Each of the organizations has notified the affected patients, who include about 56,000 individuals treated at various Sentara hospitals and outpatient facilities; more than 8,500 patients of South Jersey Healthcare; and nearly 4,000 patients of UMHS.
The Omnicell laptop contained medication dispensing cabinet log files from those three organizations. An Omnicell statement said the files contained patient names, admissions records data and technical data about medication dispensing transactions from drug dispensing cabinets over a one- to three-week period. The data was downloaded by the employee while troubleshooting software for the hospitals.
The information, stored in engineering log files on the device, did not include any addresses, phone numbers, financial information or Social Security numbers, Omnicell said. Nevertheless, Omnicell is making free credit monitoring available to affected patients as a precautionary measure, an company spokesman told HealthcareInfoSecurity.
The incident serves as a reminder to healthcare organizations that encrypting their own mobile devices and following other breach prevention procedures are not always enough to safeguard patients' data. And even business associate contracts that spell out the use of encryption don't guarantee all devices will, in fact, be protected.
"Encryption was part of our arrangement with Omnicell," says Cheri Hinshelwood, a Sentara spokeswoman. "Omnicell has had an incredible record; we fully do not expect this will happen again."
UMHS spokesman Pete Barkey says the breach occurred because an Omnicell employee did not follow both UMHS' and Omnicell's policies and procedures to safeguard information on the laptop.
"This constitutes a violation of the UMHS Code of Conduct and our patient privacy policies, which all UMHS employees, contracted vendors and employees of vendors are regularly trained on and required to follow," Barkey says. "We have rigorous policies in place that our employees and third-party vendors must follow, and we always strive to be as rigorous as possible in making sure these are enforced. We continue to educate our entire workforce on the importance of following our comprehensive patient privacy policies."
Meanwhile, the Omnicell spokesman confirmed that the company's employees are being retrained on data security and privacy precautions. The Omnicell worker involved in the breach has been disciplined, but is still employed by the company, the spokesman said.
"The lesson from this incident is that contractual provisions requiring steps like encryption are valuable, but there is no guarantee that they will be followed," says Adam Greene, partner at law firm Davis Wright Tremaine LLP, and a former official at the HHS Office for Civil Rights.
"It remains important to consider protections such as indemnification should the business associate fail to comply with its contractual requirements," he suggests. "Additionally, while it is not realistic for a covered entity to audit the practices of each business associate, covered entities may consider whether some level of auditing - or requiring third-party auditing - is appropriate for some business associates, such as those with the most protected health information."
Still, the reality of yet another major breach involving a business associate is sobering, Greene acknowledges. "No matter what a covered entity does, it is likely that one of its business associates will eventually have a breach, and [they] should plan accordingly, including considering whether to insure against the risk," he adds.
Proposed HIPAA modifications clarify that business associates and their subcontractors must comply with the HIPAA Security rule. A final version of those modifications will be included in a long-overdue omnibus package of regulations (see: 2013 Healthcare Regulatory Outlook).
The final HIPAA modifications could put more pressure on business associates to ramp up their breach prevention procedures and policies.
"In all likelihood, OCR will not seek to enforce the [HIPAA] security rule against Omnicell because HHS has not yet published the omnibus rule," Greene says. "I think that it is likely that, after publication and the compliance date of the omnibus rule, OCR will consider whether an incident like this should lead to a financial settlement with the business associate."
Meanwhile, lost or stolen unencrypted devices continue to be the lead culprit in major breaches. Of all major breaches OCR reported on its so-called wall of shame, more than half involved lost or stolen unencrypted computing devices. About 20 percent of all major breaches have involved business associates (see: Breach Stats: Signs of Improvement?).