Old IT Project Raises New Concerns for 1,400 OrganizationsData Registry Test Mishap Potentially Affects Up to 98,000 Patients
A recently discovered data security incident at the American College of Cardiology, which potentially affected nearly 98,000 patients at 1,400 medical institutions, points to the need to refrain from using real patient data in test environments, as well as the importance of properly securing those environments.
ACC, a professional organization that focuses on education, research, quality care and health policy, discovered in December that between 2009 and 2010, during the redesign of its national cardiovascular data registry, patient information from 1,400 institutions was accidently exposed to a third-party software vendor in the project's test environment. News about the ACC incident spread after Sacred Heart Health System in Pensacola, Fla., one of the affected institutions, issued a public statement on April 11 about the breach affecting its patients.
On average, each of the affected institutions had fewer than 70 patients impacted by the incident, an ACC spokeswoman tells Information Security Media Group. But some organizations had hundreds of patients affected by the breach. For example, Sacred Heart Health Systems says it's notifying 523 patients.
Under HIPAA, breaches affecting 500 or more individuals must be reported by covered entities to the Department of Health and Human Services and affected individuals within 60 days of discovery. Those major incidents are also listed on the HHS' Office for Civil Rights "wall of shame" website.
Some security experts say mishaps involving the exposure of patient data during test projects are relatively frequent.
"I think it happens a lot more ... than we realize," says David Finn, health IT officer at the security consulting firm Symantec, and a former healthcare system CIO.
When developing or implementing new IT systems, "a lot of organizations want to test as close as real data as possible," he says. "They'll move subsets of data from the lab or PACS systems to test [in another system] not realizing that [unauthorized individuals] looking at the live data could be a breach, depending upon the relationship you have with those vendors and what they're actually doing with the data. You have to think about the data and the value it has to patients if it were to get out."
Some software tools can help organizations protect data in test environments, he notes. "The tools don't de-identify [the patient data], but change it so ... it isn't traceable information. You'll get the same data mix, but none of it will be tied to a real person anymore."
The ACC registry collects quality reporting data from hundreds of hospitals and other medical institutions around the country. Back in 2009 and 2010, the redesign testing environment used "fabricated" patient data for about 250 tables. But one table mistakenly was populated with data for real patients, the ACC spokeswoman says.
The issue was identified by an ACC staff member in December during a demonstration of software that was still in development, she says. "All [affected] institutions have been notified. They were contacted early in 2016."
Protected health information inadvertently exposed to the project's software vendor included patient names, dates of birth and Social Security numbers. But because the data was accessible only to the software vendor, "the chances of this information being in the wrong hands are slim," the ACC spokeswoman says.
Under HIPAA, ACC is considered a business associate of the institutions affected by the incident, and the third-party software vendor is a business associate of ACC, she says. It's up to the discretion of each impacted covered entity to notify its affected patients and HHS, she contends.
ACC would not disclose to ISMG a list of the institutions affected by the incident "due to confidentiality agreements with them," she says. So far, at least one affected organization - Sacred Heart Health System - has issued a statement about the incident.
"Based on ACC's investigation, we have no reason to believe that patient information has been used inappropriately," Genevieve Harper, staff attorney and privacy officer for Sacred Heart, said in the statement. "However, out of an abundance of caution, we have informed the patients of the disclosure so they might take steps to review credit reports and bank accounts for any misuse of their information."
As part of its participation in ACC's national cardiovascular data registry, Harper said, "Sacred Heart enters data on cardiovascular patients and procedures into the registry and uses the national data in order to measure and improve the quality of cardiovascular care the hospital provides."
Sacred Heart says it was notified on Feb. 16 by ACC that PHI of 532 patients, including names, dates of birth, Social Security numbers and internal patient identification numbers, had been inadvertently made accessible to an ACC software developer, Harper's statement notes.
"When ACC discovered this issue, it immediately terminated the vendor's access to the patient data," Harper's statement says. "ACC also obtained a written attestation from its vendor that the patient data has been destroyed and that the vendor did not retain copies. The software developer has also attested that its staff used the data only for purposes of their work for ACC."