HIPAA/HITECH , Incident & Breach Response , Security Operations
Dumped Records Case Illustrates BA RisksIncident Shows Why Business Associates Are a Big Worry
The 2015 Healthcare Information Security Today survey shows that the No. 1 threat respondents are most concerned about today is business associates taking inadequate security precautions. And a recent incident in Chicago involving 10-year old medical records found discarded in a dumpster illustrates why there's so much concern about BAs.
See Also: A Guide to Passwordless Anywhere
Hundreds of pounds of paper medical records belonging to patients of Suburban Lung Associates, a Chicago-area healthcare provider, were discovered in a dumpster outside the building of FileFax, a Northbrook, Ill., records storage vendor hired by the clinic to retain and then properly destroy the documents, reports a local CBS TV station.
A Suburban Lung Associates spokeswoman tell Information Security Media Group that the undetermined number of records are "isolated to 2004," and were supposed to be destroyed by the medical provider's vendor because the documents are more than 10 years old. In addition, Suburban Lung Associates since 2004 has migrated to electronic health records, she says in a statement.
"Upon learning that some information about previous patients may have been compromised as a result of actions by a third-party vendor, we immediately began an active investigation," the spokeswoman says.
"Suburban Lung Associates, like many healthcare providers, relies on reputable third-party vendors to retain and, when appropriate, securely destroy patient records. Suburban Lung Associates' policy with the vendor involved in this situation specifically mandates that all records be destroyed before they are discarded. We are investigating what may have occurred in this instance and are taking further steps to prevent a recurrence."
The organization is working with law enforcement "to assess the situation," according to the statement.
FileFax did not respond to ISMG's request for comment.
The Chicago TV station reported that after receiving a tip about the recent discovery of medical charts by a "dumpster diver," a reporter also found a FileFax company dumpster filled with medical records that should have been shredded or destroyed before disposal. "There were even medical records left in a parked company car which could easily be read by anyone walking nearby," the station reports, adding that the Department of Health and Human Services and Illinois attorney general's office are both investigating the incident.
The Illinois attorney general's office did not respond to ISMG's request for comment.
A spokeswoman at the HHS' Office for Civil Rights, which investigates HIPAA breaches, would not comment about "current or potential" investigations as "a matter of policy."
Improper disposal of protected health information have resulted in OCR enforcement actions in the past. For example, OCR last June announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.
Meanwhile, when it comes to potential breaches involving vendors, business associates taking inadequate security precautions for PHI was named by nearly 30 percent of respondents of the recent 2015 Healthcare Information Security Today survey as the top threat facing their organizations today, making it the No. 1 perceived threat. That was followed by worries related to mobile devices, as well as mistakes by employees and record snooping.
A complete report and webinar about the 2015 Healthcare Information Security Today survey results will be available soon.
The HHS "wall of shame" tally of health data breaches affecting 500 or more individuals shows that of the 1,149 incidents listed as of March 3, which affected a total of nearly 41.2 million individuals, nearly 24 percent involved business associates. However, those breaches involving business associates affected 22.5 million individuals, or more than 54 percent of the victims impacted by all major breaches.
Since ISMG prepared its last snapshot of the federal breach tally on Jan 26, there's been a decrease in the total number of incidents and individuals affected by breaches appearing on the wall of shame. On Jan. 26, there were 1,199 breaches affecting nearly 41.53 million individuals listed on the federal site.
The OCR spokeswoman tells ISMG that "in the recent maintenance of the breach portal, OCR found discrepancies in the data which have been modified and corrected. This led to the decrease in published cases."
She adds: "There are now additional search fields for either submission date or breach date. These new fields were added to provide the public with additional search options."
Anthem Not on Tally Yet
So far, the Anthem Inc. hacking breach affecting 78.8 million individuals, which the health insurer revealed on Feb. 4, is not posted on the HHS site. HHS adds incidents to its tally after the details are confirmed by investigators.
An incident affecting 2 million individuals and involving Xerox Corp., a business associate of Texas Health and Human Services Commission, remains on the tally, however, even though the state dropped its breach-related lawsuit against Xerox on Feb. 9. A Texas HHSC spokeswoman told ISMG that the state agency dropped the data dispute lawsuit against Xerox "after the state and Xerox reached an agreement for protecting the confidential information." She notes, however, that the state can bring legal action "if the agreement is violated" (see Texas Drops Xerox Breach Lawsuit).