Comments (0)

By Dissent, May 23, 2013 8:09 am

While employees in the UK can seemingly only face fines for exceeding authorized access or stealing health information, that’s not the case in Canada. CBC News reports that a former Eastern Health employee has pleaded not guilty to unlawfully obtaining health information. The incident has drawn a lot of media attention since it was first disclosed.

CBC News reports that a five-day trial has been set for September for former employee Colleen Weeks, whose lawyer entered her plea of not guilty.

Comments (0)

By Dissent, May 23, 2013 7:25 am

Sue Reisinger writes:

Earlier this month the U.S. Equal Employment Opportunity Commission filed— and quickly settled—its first lawsuit accusing an employer of gathering illegal genetic information during a job applicant’s medical exam. The agency followed it up last Thursday by filing its first class action suit against another employer on similar grounds.

The Genetic Information Nondiscrimination Act went into effect in 2009, and some individuals have sued companies under it. But not until this month did the government take official action to enforce GINA, as the law is called.

“Employers need to be aware that GINA prohibits requesting family medical history,” said David Lopez, general counsel of the EEOC, in a statement. “When illegal questions are required as part of the hiring process, the EEOC will be vigilant to ensure that no one be denied a job on a prohibited basis.”

Read more on Corporate Counsel.

Comments (0)

By Dissent, May 23, 2013 6:19 am

Infosecurity-Magazine.com reports on an insider breach where the consequences just don’t seem severe enough. The breach occurred on April 28, 2011, and was prosecuted by the Information Commissioner’s Office under Section 55 of the Data Protection Act:

When he learned that he was being made redundant from his position as Community Health Promotions Manager at a council-run leisure center, he emailed sensitive medical information on 2471 people to himself to help establish his own new company.

Paul Hedges managed the council-run Active Options GP referral service at the Bitterne Leisure Center, Southampton. This service allowed local GPs to refer patients with certain health conditions (such as obesity, diabetes, arthritis, and cardiac and mild mental health issues) to the leisure center for fitness training. The process required the transfer of some medical notes from the GP to the leisure center.

[...]

Yesterday at West Hampshire Magistrates Court he was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Information Commissioner Christopher Graham used the incident to press his campaign for tougher sanctions. “This case shows why there is a need for tough penalties to enforce the Data Protection Act,” he said. “At very least, behavior of this kind should be recognized as a ‘recordable offense’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.”

[...]

Dan Worth of V3 also reports on the case. The Information Commissioner’s Office press release on the case can be found here.

Over here, this would be one of those “exceeding authorized access” charges, I think. Certainly, criminal charges could be brought here, and I would have liked to have seen criminal charges with possible jail time in this U.K. case, as this is theft of sensitive information for purposes of financial gain. I agree with the ICO that just financial penalties aren’t enough to deter.

In this case, the ICO did not find fault with Southampton Council, as reported by Infosecurity Magazine:

In this instance, an ICO spokesman told Infosecurity that it considered that the council had taken adequate precautions to protect the data, including limiting access to those with a ‘need to know’. Hedges, however, had that need for access, and the ICO decided that it was his illegal act rather than any negligence on the part of the council that was to blame.

What are the boundaries here, though? Should a data controller like the council have no responsibility for preventing an insider breach other than issuing login credentials to those authorized to access a database? I realize this happened in April 2011, but should councils be expected to have protections in place that would prevent the extraction of data via email attachments to employees’ personal email accounts? What’s reasonable to expect of data controllers?

Comments (0)

By Dissent, May 21, 2013 6:44 pm

Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.  That breach was reported on this blog in August 2011.

ISU operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics. Between four and eight of those ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred.

The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities.  ISU also failed to assess the likelihood of potential risks occurring:

i. ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;

ii. ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and

iii. ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.

OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.”

ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics.

The Resolution Agreement does not constitute an admission of liability by ISU.

SOURCE: HHS

Comments (0)

By Dissent, May 21, 2013 6:34 pm

Two updates within a week? The HHS breach tool is getting a workout.  Here is what was added today:

Sovereign Medical Group, LLC in New Jersey reported that 27,800 were affected by a breach on October 10, 2012. HHS’s breach tool codes the incident as “Theft, Hacking/IT Incident”, Network Server,” which probably means a hack, but I’ve found no media coverage of this breach and have sent them an inquiry.

South Jersey Hospital Inc. disclosed in January that they were affected by the Omnicell breach reported previously on this blog. Why their report to HHS is first appearing on HHS’s breach tool is unclear to me: were they late in notifying HHS, or did HHS delay posting this while they investigated? HHS has informed me in the past that they do not add incidents to the breach tool until they’ve done a preliminary verification of certain details. Looking at the other entries in this latest batch, my guess is that HHS delayed posting these incidents while they investigated.

Hawaii State Department of Health, Adult Mental Health Division disclosed a breach in October 2012 that is also first appearing on HHS’s breach tool. According to the entry, 674 clients were affected by a hack that occurred on September 25, 2012.

L.A. Care Health Plan in California reported that 18,000, were affected by an unspecified breach that occurred between September 17 and September 20, 2012. That breach had previously been reported on this blog and involved a mailing error that sent members’ IDs to the wrong addresses.

Calvin Schuster, MD of California reported that 532 patients had data on a computer stolen November 14, 2012. That breach was previously reported on this blog. Somewhat confusingly – or perhaps it’s a typo on HHS’s tool or in the doctor’s letter to patients – the log entry shows the theft occurred on November 14, while Dr. Schuster’s letter to patients says they learned of the breach on November 5.

SilverScript Insurance Company in Arizona, a CVS Caremark company and Medicare Part D Plan insurer, reported a breach affecting 852 patients on October 31, 2012. That breach involved paper records,  and might be a mailing error, but I can find no documentation of this breach available online.

Raleigh Orthopaedic Clinic in North Carolina’s breach affecting 17,300 patients was also added to the breach tool. That incident, involving stolen x-rays, was previously reported on this blog.