Patient Information Exposed on GoogleBusiness Associate Blamed for Security Lapse
Some 32,500 patients of Cottage Health System in California apparently had their personal and health information exposed on Google for 14 months because of a lapse in a business associate's protections for one of its servers, the provider organization says.
The incident shines a light on the complexities of business associate liability under the HIPAA Omnibus Rule, security experts say. For example, it's not crystal clear whether the business associate in this case could potentially face penalties for HIPAA violations.
Cottage Health, which operates five hospitals in the Santa Barbara area, discovered the breach on Dec. 2 after it "received a voice mail message informing it that a file containing personal health information of certain patients may be available on Google," according to a Dec. 11 letter sent by the organization's attorney to California Attorney General Kamala D. Harris.
Upon investigation, "Cottage Health discovered that Insync, a third-party vendor for Cottage Health and its affiliated hospitals, Goleta Valley Cottage Hospital, Santa Barbara Cottage Hospital, and Santa Ynez Valley Cottage Hospital, appeared to have, without Cottage Health's knowledge, removed electronic security protections from one of its servers, resulting in the exposure of a file containing certain personal health information stored in the server," the letter states.
"Further investigation revealed that the vendor had removed the security protections on or about Oct. 8, 2012. The server was taken offline immediately on Dec. 2," according to the letter, which does not specify what security protections were removed by Insync. The provider organization also requested that Google remove the file from its systems.
The exposed file contained personal and healthcare information about patients treated at the three hospitals between Sept. 29, 2009, and Dec. 2, 2013, the letter notes. That includes names, addresses, dates of birth, medical record numbers, account numbers, diagnosis, lab results and procedures performed. No financial information or Social Security numbers were involved
In a statement posted on its website, Cottage Health says it's offering affected patients access to identity restoration services through ID Experts "to assist the impacted population in the unlikely event that any exposed information may be misused."
Cottage Health is conducting an audit of its security protocols, reviewing service relationships with third-party vendors, expanding and increasing the frequency of internal and external security checks and enhancing its "change notification system," according to its letter to the attorney general.
Neither Cottage Health nor Insync responded to Information Security Media Group's request for comment.
A Common Problem?
Breaches that involve protected health information becoming inadvertently available on the Internet are relatively common, notes privacy and security attorney Stephen Wu, a partner at Cooke Kobrick & Wu LLP, who is not involved in the Cottage Health case.
For example: Stanford Hospital & Clinics in September 2011 reported a breach involving a BA's subcontractor mistakenly posting health information about 20,000 patients on a website.
In the Cottage Health case, Wu says, "The question is why wasn't it configured properly, why wasn't the document password protected? In 2013, you'd think people would realize that Google is crawling so many sites, there are no excuses" in posting files containing PHI on websites. This is a design failure, and a training failure."
Complex BA Issues
The Cottage Health incident raises a number of complex issues on how federal regulations apply to the business associate, says Helen Oscislawski, founder of Attorneys at Oscislawski, a healthcare law firm not involved in the case.
Under the HIPAA Omnibus Rule, which has been enforced as of Sept. 23, business associates are directly liable for HIPAA compliance. And under HIPAA, BAs must notify the covered entity they serve if a breach occurs. A BA could potentially be assessed penalties by the Office for Civil Rights for noncompliance with HIPAA or the breach notification rule if it falls short of meeting its requirements, Oscislawski notes.
Because the alleged removal of security protections by the BA took place in October 2012, "it is not likely that OCR could assess the BA penalties for falling short of meeting the standards in the HIPAA Security Rule," she says. "But OCR can make a determination as to whether Insync notified Cottage of the breach in a timely manner after Sept. 23, 2013. OCR can also evaluate and make a determination as to whether Insync took reasonable steps as part of its security program between Sept. 23, 2013 and Dec. 2, 2013, to discover this potential breach."
If OCR determined that Insync fell short on its HIPAA security rule obligations since Sept. 23, "then OCR certainly can decide to assess penalities for this shortcoming in this window," she notes. "Similarly, if OCR determines that Insync should have reasonably discovered this breach earlier that Dec. 2, 2013 - for example between Sept. 23, 2013, and Dec. 2, 2013 - then it could also assess penalties against Insync for falling short on the security breach notification rule requirements to notify the covered entity without unreasonable delay of a breach."
Any potential penalties that could be assessed against Insync for HIPAA noncompliance would extend to Cottage Health only if OCR determines that Insync was acting as an 'agent' under the HIPAA rules, the attorney explains. "If it was acting as an 'agent' of Cottage, then all of this BA's shortcomings would be as if the CE did them and the CE could be assessed penalties as well," she says.
If the business associate is not found to be an agent of Cottage, then the HIPAA violations should, for the most part, be contained to Insync because a covered entity does not have the obligation to take any action to notify patients until it learns of the breach from a BA. "Therefore, presuming Cottage only learned of the potential issue on Dec. 2, 2013, then as long as it notified patients in a timely manner, it can still meet its breach notification obligations even though this potential breach took place over a year ago," Oscislawski says.
The attorney notes, however, that a business associate breach can lead OCR to also take a closer look at the covered entity's HIPAA compliance program. "And this often uncovers shortcomings in the covered entity's program as well," she adds.
While large breaches involving BAs have, so far, declined slightly in 2013 compared to 2012 according to analysis breaches listed on the Department of Health and Human Services' "wall of shame" website, BAs have been involved in about one-fifth of major breaches since 2009 (see Breach Trend: Fewer Business Associates).
Independent security consultant Brian Evans predicts there will be an uptick in the reporting of breaches tied to business associates once BAs adjust to their HIPAA Omnibus compliance obligations, including the modified breach notification rule.
"As BAs move from a reactive mode to a more formal and mature information security program, it's only logical that more security incidents will be identified and reported," he says.
"In working with BAs, I'm finding that they are fully aware of their compliance obligations but lack the funding, staffing and security experience to adequately address them," he notes.
Evans points out that covered entities can take several steps to help prevent breaches involving their BAs.
"Healthcare organizations need to have plans in place for analyzing, controlling and managing BA risk," he says. That includes completing risk assessments, conducting due diligence on BAs before entering a contract and careful ongoing monitoring of vendors, he says.
"Direct compliance with all of the safeguards and documentation requirements of the HIPAA Security Rule is a mandate, and your patients and regulators are going to begin asking you to show them, not just tell them, that you are in good standing."