The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently announced that the Advocate Health Care Network has agreed to pay a $5.55 million settlement for multiple HIPAA violations related to a massive 2013 breach of electronic protected health information (ePHI).
The settlement, the largest HIPAA fine ever levied against a single entity, is due to the extent and duration of the violations (four unencrypted computers containing patient information were stolen) and the large number of people affected (approximately 4 million), according to the OCR.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," OCR director Jocelyn Samuels said in a statement. "This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
According to the OCR's investigation, Advocate failed to:
- conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
- implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
- obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
- reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
CyberGRX CEO Fred Kneip told eSecurity Planet by email that the fine is yet another sign that the current approach to mitigating third-party risk isn't working. "Enterprises are more and more beginning to realize that the growing reliance upon and interconnectivity with third parties, while critical to compete in a global marketplace, also poses significant cyber risk," he said. "The information security posture of third parties must be measured, monitored and viewed as part of their extended ecosystem of responsibility."
And the breaches keep happening. Blue Cross and Blue Shield of Kansas City recently began notifying approximately 790,000 current and former members that their personal information may have been exposed by a data breach at third-party healthcare ID card provider Newkirk Products, the Kansas City Star reports.
Newkirk Products, which acknowledged on August 5 that a server containing personal information had been hacked, noted that no health plans' systems were directly accessed.
However, the company stated that potentially affected clients, in addition to Blue Cross and Blue Shield of Kansas City, also include Blue Cross Blue Shield of North Carolina, HealthNow New York, BlueCross BlueShield of Western New York, BlueShield of Northeastern New York, and Capital District Physicians' Health Plan, and, through Newkirk's relationship as a service provider to DST Health Solutions, Gateway Health Plan, Highmark Health Options, West Virginia Family Health, Johns Hopkins Employer Health Programs, Priority Partners Managed Care Organization and Uniformed Services Family Health Plan.
The breach, which first took place on May 21, was discovered on July 6. "Newkirk shut down the server, started an investigation into the incident and hired a third party forensic investigator to determine the extent of the unauthorized access and whether the personal information of its clients' members may have been accessed," the company said in a statement.
The data potentially exposed includes health plan members' names, mailing addresses, plan types, member and group ID numbers, names of enrolled dependants, primary care providers, and in some cases, birthdates, invoice information and Medicaid ID numbers.
A recent eSecurity Planet article suggested five best practices for reducing third-party security risks.