Carelessness behind many health data breaches

Mishandling patient information, whether paper or electronic, can cost millions in fines even if no harm is intended.

By — Posted March 21, 2011

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

For all the high-tech security work that physician practices do so that no outsiders get unauthorized access to their patients' data, one very low-tech cause of data insecurity often is overlooked: plain old forgetfulness.

For example, Massachusetts General Hospital on Feb. 24 settled with the Dept. of Health and Human Services to a pay a $1 million fine for a patient data security breach that was not caused by a hacker breaking into its system. Instead, HHS said, it was caused by an employee who inadvertently left a stack of paper files on a subway train on the way to work.

Kaufman, Rossin & Co., an accounting firm in South Florida, issued a report in February that found practices and hospitals are more likely to experience a breach because of an employee losing a thumb drive, mobile device or stack of paper files than because they were targeted for a malicious hacking.

The firm analyzed 166 breaches affecting 500 or more patients that were reported to HHS' Office for Civil Rights from September 2009 to September 2010 and found that theft and loss were the leading causes.

"Humans truly are the biggest vulnerability within an organization with regard to security and privacy," said Rebecca Herold, a privacy and data security consultant based in Iowa.

Whether patient data are stored on a stack of paper files or a mobile computing device, many organizations don't have, or don't enforce, written policies on how the data should be handled, Herold said.

The privacy rule of the Health Insurance Portability and Accountability Act of 1996 set fines and enforcement against practices, hospitals and others that didn't protect patient data. But the Health Information Technology for Clinical Health Act of 2009, part of the 2009 economic stimulus package, raised stakes by increasing the possible fine to $1.5 million for each patient whose data were breached.

Not that a federal fine would be the only cost. The Ponemon Institute, which researches data privacy issues, issued its annual report March 8 analyzing the cost of data breaches. It found that the price for failing to protect patient data rose from $301 per breached file in 2009 to $345 in 2010. The costs included administrative expenses, such as notification, and the loss of business.

Still, often practices are too cavalier about how information leaves their offices, according to Kaufman, Rossin.

Employees bring stacks of paper files to and from the office, download patient information onto personal laptops and take thumb drives from work -- all with good intentions of working at home after hours but also exposing the data to more risk.

Practices need to understand where their information is stored, which could be multiple places, and how it is flowing throughout the organization regardless of whether it is on paper or electronic, said Jorge Rey, an information and IT audit manager for Kaufman, Rossin and co-author of the accounting firm's report.

Often, a breach "is pretty much human error and sometimes more like neglect," Rey said. Physicians and practice employees "are aware that breaches occur, but they are not necessarily fully aware they have sensitive data that can put the institution at risk of a breach."

In the Massachusetts General Hospital case, HHS said the facility failed to "implement reasonable, appropriate safeguards to protect the privacy of [patient information] when removed from Mass General's premises." The loss of paper files affected 192 patients of the hospitals' infectious disease outpatient practice, including patients with HIV/AIDS.

Policies must be instituted

The hospital system was not required to admit guilt, but HHS ordered it to develop and implement policies and procedures to ensure patient data are protected when removed from the premises. Mass General also is required to train workers on these policies and procedures and submit to a monitor that will issue semiannual compliance reports to HHS for three years.

Mass General said in a prepared response to the settlement that it will issue new or revised policies and procedures regarding the physical removal and transport of personal health information, laptop encryption and USB drive encryption.

Rey said policies should acknowledge that sometimes physicians or other employees need to access data at home. But practices must identify what can go wrong and look at ways of reducing the chances of those things happening, he said.

For example, one way to minimize exposure is with Web-based applications that allow remote access to secure databases. Accessing the data remotely will ensure that nobody transports physical copies -- or physical devices with the information -- between work and home, Rey said.

When those policies are put in place, organizations need to revisit and update their policies and monitor their systems for possible risks, experts said.

"This is not a one-time thing," said Avishai Wool, chief technology officer and co-founder of AlgoSec, a Roswell, Ga., company that provides security and risk management auditing.

Data privacy laws have "big teeth," so constant vigilance is necessary, he said.

Back to top

External links

"Preventing a Data Breach and Protecting Health Records: One Year Later: Are you Vulnerable to a Breach?" Kaufman, Rossin & Co., February (free; registration required) (link)

"2010 Annual Study: U.S. Cost of a Data Breach," Ponemon Institute, March (link)

Resolution agreement between the Dept. of Health and Human Services and Massachusetts General Hospital, Feb. 14 (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story