The U.S. government recently took a big swing at the medical community’s insufficient risk analysis and assessment protocols when it dealt a landmark $50,000 fine to the Hospice of Northern Idaho. The penalty, the first of its kind, was doled out by the Department of Health and Human Services’ Office for Civil Rights (OCR) as a result of an investigation into the theft of a laptop containing large amounts of highly sensitive patient data.
The incident occurred on the weekend of June 18, 2010, after a nurse with the Hayden, Idaho center left the laptop inside her car while parked in her driveway. The still unidentified thief broke into the car and stole the unencrypted laptop along with the electronic protected health information belonging to several hundred patients contained inside.
Patient data in the open
Of major concern over the incident is the stolen laptop’s lack of sufficient encryption and layered security. While the exact details of its data security remain unknown, authorities were alarmed by the possibility that the thief could access huge chunks of highly sensitive data relating to 441 of the center’s patients, including Social Security numbers, prescriptions, and diagnoses. Hospice authorities have noted that since the 2010 theft, there has been no further evidence of the data having been compromised.
The investigation launched by the Office for Civil Rights found that hospice authorities failed to adequately assess the risk of transporting equipment containing patient data outside hospice grounds. This failure was found to be in violation of the Department of Health and Human Service’s Health Insurance Portability and Accountability Act (HIPAA) Security Rule. First proposed in 1996, the HIPAA Security Rule was established in order to set nationwide standards for protecting patients’ medical information.
Setting an example
The Hospice of Northern Idaho could have been facing a much stiffer penalty, but because the security breach affected fewer than 500 people, it was subject to a lesser fine. Fines for breaches involving greater numbers of individuals can range from $100,000 into the millions. The penalty comes as the first of its kind, as the Office for Civil Rights had never before lobbied a fine for a security breach involving fewer than 500 people.
The incident is being cited by OCR as the latest evidence for an increasing need for tighter cybersecurity in medical centers, especially concerning sensitive personal health data. While larger hospitals tend to have much more sophisticated cybersecurity protocols, there is concern that smaller operations such as the Hospice of Northern Idaho are still lagging behind. OCR’s penalty reflects the severity of the incident, with director Leon Rodriguez saying, “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
To the hospice’s credit, center authorities took immediate steps to ameliorate any potential breach of patient data upon being notified of the theft, including offering all affected patients free credit report monitoring. In addition, Office for Civil Rights officials have noted the hospice center’s markedly improved security protocols since the incident, most notably by encrypting all center laptops. OCR’s message to both the Hospice of Northern Idaho and the medical community was clear: Start taking patient data security or pay the penalty.
What do you think? Do you believe the government’s penalty was adequate? How confident are you in the security of Americans’ personal medical information? Let us know what think and leave your comments below.