David Holtzman was recently interviewed by Marianne Kolbasuk McGee of Information Security Media Group about The Arc of Erie County lawsuit which encountered a data breach that impacted more than 3,000 individuals. The office of Barbara Underwood, New York state attorney general, recently announced a $200,000 HIPAA settlement and corrective action plan for the organization. Below is the full interview.
Marianne: We’ve seen other HIPAA breach cases involving patient information that was accessible on the web, including via search engines. Why do those kinds of breaches keep happening – for instance, is it a matter of misconfigured settings? Something else? How can CEs and BAs prevent these mishaps?
David: It seems as if the management team at ARC did not have the appropriate measures in place for their information systems. Any organization that handles sensitive personal information should perform an enterprise wide risk assessment to analyze their threats and vulnerabilities available to their data. Then use the risk assessment findings to create an action plan to prioritize the high-risk compromises to the information systems first. Make it a management imperative in your organization to follow through on investment and attention to information security.
Marianne: The PHI appears to have been accessible on the web for three years, and the Arc of Erie County found out about it through a tip from the public. Any suggestions for how this incident could’ve been caught much sooner?
David: If the Arc of Erie County had performed a penetration test, they would have found that their information system was open, and it was accessible to the internet. These tests are extremely vital to any organization and should be part of an enterprise-wide information security risk analysis.
Marianne: NYS’s previous AG Eric Schneiderman resigned earlier this year, but before he resigned, his office issued a variety of breach-related enforcement actions, including this year a $1.15 million settlement with Aetna and a $575,000 settlement with Emblem Health for separate data breaches. This latest settlement with Arc of Erie County was issued by Schneiderman’s successor, NYS AG Barbara Underwood. So it appears, that the NYS AG’s office is continuing with its enforcement for security incidents even under new leadership. With that said: The last HIPAA settlement we’ve seen from HHS OCR was in June, and in total, there have only been 3 HIPAA enforcement actions from OCR in 2018 so far. How likely do you think it is that we’ll see more HIPAA enforcement actions by state AGs, versus OCR in the next few years (under Trump administration)? Think state AGs will pick up any potential slack in HIPAA enforcement actions if OCR decreases its HIPAA enforcement activities (especially settlements, and CMPs?)
David: There has been a number of states adopting new data protection standards and breach reporting. These new laws require companies to protect personal health information that would not be protected by HIPAA. A number of state attorney generals are bringing enforcement actions under HIPAA and state law requirements to protect consumer information from unauthorized disclosure.
Marianne: Besides NYS, any other state AGs offices that you potentially think could be/are actively enforcing HIPAA with these kinds of settlements?
David: The NY-OAG has teams of experienced, investigators and attorneys to investigate against companies doing business in New York. It is difficult to generalize the impact of an individual attorney general on the enforcement activity in their state. For example, California’s attorney general has followed a tradition of vigorous enforcement of state information privacy laws authorized to require organizations that hold personally identifiable information to have proper safeguards and notify individuals right away when there has been a breach.
Marianne: Any advice to CEs and BAs related to the HIPAA enforcement climate these days, and looking ahead to next year? Any other comments, observations about the Arc of Erie settlement/breach case in NYS?
David: Children are most vulnerable to identity theft because they are unaware of the warning signs that someone is trying to get access to their personal information. For example, children are not likely to receive notices from government agencies about applications for benefits using their Social Security number, get a notice from the IRS that they didn’t pay income taxes or that the child’s Social Security number was used on another tax return or get collection notices or bill for products or services they didn’t receive. The information compromised through this security incident is especially sensitive because it can expose the individual to significant financial fraud or harm to their reputation. When personal information like such is collected, the organization need to set up appropriate measures and secure this information to only a minimal number of people within the organization. No need to create duplications of sensitive PII, and it’s best to securely delete electronic files that are no longer needed.
Visit Healthcare Info Security to read the full blog post.