business
UCLA breach shows that even home isn't always a safe place for data
■ Experts say the case underscores the need for medical practices to establish privacy-protection policies.
By Pamela Lewis Dolan — Posted Nov. 22, 2011
- WITH THIS STORY:
- » Related content
Even if practices think they have a strong data security plan in place, too often a new breach occurs that reminds them there are always additional steps that can be taken, or that certain vulnerabilities were overlooked.
The most recent reminder came through the UCLA Medical Center, which issued a public notice on Nov. 4 saying that a former employee's computer external hard drive that contained information about 16,288 patients was stolen during a house burglary. Although the data were encrypted, a piece of paper containing the password needed to unencrypt the data also came up missing after the burglary.
UCLA said in the notice that the records did not contain Social Security numbers or financial information. But they did include first and last names and possibly birth dates, addresses and medical record numbers and information. The data ranged from July 2007 to July 2011. The theft occurred in September, and UCLA said it took until November to determine who was affected and obtain valid addresses for notification. The employee whose home was burglarized ended his employment with UCLA in July.
After this recent incident, UCLA said it is "reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood of such an incident occurring again."
Brian Lapidus, chief operating officer of Kroll Fraud Solutions, said practices need all employees to be cognizant of how important and valuable patient data are. Everyone in the office should "treat data like diamonds" and protect them.
Kroll was hired by UCLA to investigate the breach, but Lapidus did not comment about the case.
Although many physician practices have policies on patient data, there's often room to make the policies more specific, Lapidus said. Some employees may need reminding that placing notes on laptops with log-ins and passwords is not advisable. Machines and encryption tokens should never be together. Though encryption is a good way to protect data, "it is only one tool in an arsenal," he said.
"You can encrypt data, you can even encrypt your machines," but employees must know how the encryption works and its limitations, Lapidus said.
When it comes to policies on data that leave the practice, Lapidus' recommendation is to not take it home to begin with. "Do you really, really need to do that at home? Are there other things you can do? Is it worth the risk?" he asked. Each organization has to answer that, "but from my perspective, it's a risk not worth taking."
Previous breaches at UCLA helped prompt the drafting of two California patient privacy laws that went into effect in January 2009. The laws put more teeth into patient privacy rules and bolstered the penalties for not complying.
Before the law was introduced, several snooping cases were reported that involved celebrities, including former California first lady Maria Shriver and singer Britney Spears. About the same time the California governor signed the two patient privacy bills into law, a report published by the state health department found that snooping incidents at UCLA were much worse than thought. The study found that hospital workers inappropriately accessed the electronic medical records of 1,041 patients since 2003.
The first known person to be jailed for HIPAA violations in the U.S. was Dr. Huping Zhou, a cardiothoracic surgeon from China who was a researcher at UCLA. He was sentenced to four months in jail in April 2010 after pleading guilty to charges related to looking at patient medical records he was not authorized to view. The records included those of his immediate supervisor and co-workers as well as celebrities.