Compliance is a big deal. Violating the Health Insurance Portability and Accountability Act (HIPAA) is a big deal as the state of Alaska just learned the hard way. The case began back in 2009 when a portable USB device was stolen from a car belonging to one of their employees. It contained personal information of 501 Medicaid patients.
The data was not encrypted and Alaska’s Department of Health and Social Services (DHSS) could not be certain it contained electronic protected health information (ePHI). Under HIPAA, it’s mandated to provide adequate training and protection for patient information. So the DHSS had to file a report with the US Department of Health and Human Services (HSS) in order to err on the side of caution.
However this launched an investigation where they uncovered that the DHSS did not have sufficient standards to protect ePHI. They found flaws in their risk analysis and management practices, as well as employee training and device control. As a result of inferior security practices, the DHSS received a hefty $1.7 million fine for non-compliance with HIPAA.
Moving forward, they created a corrective action plan to prevent this type of leak from happening again. It’s easy to see how a string of seemingly small mistakes can result in a massive data leak. Although one might think that governments are taking data protection more seriously, it’s evident that data protection standards need to be elevated for all sectors including government, corporations, and education.
All in all, it’s difficult to tell if we’re actually making progress when it comes to data protection. What do you think? Are we getting any better?