True Story of HIPAA Violations

By in

Behold the “Wall of Shame”

Known as the “Wall of Shame,” the US Department of Health and Human Services (HHS) website details 281 Health Insurance Portability and Accountability Act (HIPAA) security violations that affected more than 500 individuals as of June 9, 2011. Overall, physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%.

  • 6,800 paper records that were supposedly mailed but never received;
  • an impostor posing as a recycling-service employee stealing over 1,300 individuals’ records and films; and,
  • a laptop stolen by a former employee that contained personal health records of over 50,000 patients.

Hardcore hackers like LulzSec aren’t compromising our health records; healthcare professionals and everyday thieves are.

Carelessness, Theft to Blame for HIPAA Violations

The vast majority of HIPAA violations weren’t instances of professional hacking or Ocean’s 11-esque intrusion. Most were a result of poor internal security, petty theft, or negligence. That holds true for even the largest violations on record.

Here are the top five violations on record – based on the number of individuals affected – according to the HHS:

Provider Year Individuals Affected How Data Was Breached
Health Net 2011 1,900,000 Portable disk driven stolen from Health Net’s California office.
NYC Health & Hospitals Corporation 2010 1,700,000 Hard drives storing health record information stolen from the back of a van.
AvMed 2009 1,220,000 Laptops stolen from the corporate office in Gainsville.
Blue Cross Blue Shield of Tennessee 2009 1,023,209 Hard drives storing health record information were stolen from an IT closet.
South Shore Hospital 2010 800,000 Disk drives were lost when being transported to a contractor for destruction.

These violations accounted for a whopping 6.74 million individuals’ health information being compromised, all because of four instances of theft, and a disk drive that was lost on its way to the electronic guillotine. In terms of individuals affected, these five violations represent 61% of the reported HIPAA violations on the HHS website.

Electronic Storage Theft #1 Reason for HIPAA Violations

While computer networks were breached in 12% of instances, they weren’t the most common scene of the crime. Instead, electronic storage devices (e.g. hard drives) and paper records were the most common breach locations.

If we drill down a little deeper to focus on the largest category – electronic storage devices – most violations were due to theft and loss.

There Are Only Seven EMR Violations on the Wall of Shame

The HHS categorized only seven breaches wholly or partially involving Electronic Media Records (EMR’s). Did these EMR violations involve on-premise systems or systems based in the cloud? Most of these entries lacked details into how exactly the breaches occurred, so I did some investigative reporting to uncover what really happened.

Provider Year Individuals Affected How Data Was Breached
Keith W. Mann, DDS 2009 2,000 On-premise system servers (managed by Professional Computer Services) hacked.
Daniel J. Sigman MD 2009 1,500 Backups of on-premise system were stolen from Dr. Sigman’s home.
Kaiser Permanente Medical Care Program 2009 15,500 Portable hard-drive was left inside a van. Van was then stolen.
Texas Health Arlington Memorial Hospital 2010 654 Poorly trained employees marked electronic charts incorrectly in an on-premise system.
Mayo Clinic 2010 1,740 Employee found snooping on patients’ records using Mayo Clinic’s on-premise EHR system.
NYC Health & Hospitals Corporation 2010 1,700,000 Hard drives from an on-premise system stolen from the back of a van.
South Shore Hospital 2010 800,000 Hard drives from an on-premise system lost on their way to a contractor for destruction.

All seven violations involved on-premise systems. Considering the flack cloud systems have received, in general, this is a great vindication for the cloud.

And it makes sense. In a cloud-based system, no data is stored on the local device (i.e. computer). All of the data is hosted on the software company’s server and accessed through a web browser when needed. If someone steals a computer, there’s no patient data on it.

These security breaches were indeed severe and affected many individuals’ lives. But only one involved a high-tech hacker. Most were carelessly lost, or simply stolen – the same reason there were over 30 reported instances of compromised paper records, and 50 violations involving stolen laptops.

HIPAA Violations Aren’t in the Cloud

Some have said that increasing the number of EMRs make our records more vulnerable. I’d cite the above data to argue otherwise. Paper records and portable devices are the weakest link in HIPAA security. The systems themselves – and certainly cloud-based systems – have a pretty good track record. HIPAA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.

And the statement that cloud-based EMR systems are more vulnerable to security breaches simply isn’t supported by facts. Of course, it remains to be seen if this holds true as more cloud-based systems are deployed. As more physicians move their records to the cloud, the opportunity for breaches will increase.

If my doctor asked me how to ensure patients’ data is secure, I would offer the following: go to the cloud. Web-based EMRs eliminate the most common security risks because there aren’t physical files to be compromised. And no matter your system, it’s essential to train your staff on the necessary security measures to ensure patient privacy is a systematic imperative.

Oh, and as for my final professional recommendation about how to avoid HIPAA violations: don’t leave your work laptop in a coffee shop. Don’t leave your storage container of paper records on a city bus. And for Pete’s sake, lock your car.

by Michael Koploy ERP Analyst, Software Advice – June 20, 2011