Archive for HIPAA Violations
Clay County Hospital in Flora, Illinois, received an anonymous email November 2 from someone threatening to release PHI to the public if the hospital did not agree to a ransom, according to a press release.
The email contained the stolen PHI that the sender threatened to release. The sender obtained names, addresses, Social Security numbers, and dates of birth of patients treated at Clark County Hospital clinics prior to February 2012, according to the press release.
The hospital launched its own breach investigation, notified law enforcement, and began notifying all affected patients after learning that the PHI of its patients had been compromised. The investigation revealed that the hospital’s servers were not hacked, although the hospital plans to strengthen its security measures by implementing additional logging and auditing systems, according to the press release.
The Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release.
OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.
The resolution agreement states that ACMHS failed to:
- Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
- Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
- Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012
In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:
- Provide an updated version of its security policies and procedures
- Adopt a revised version of OCR-approved security policies and procedures
- Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
- Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures
Authorities recently arrested a New York radiologist for allegedly stealing the PHI of 96,998 patients, according to a press release from the Nassau County District Attorney’s office.
James Kessler, 38, is charged with improperly accessing the patients’ records from January 17, 2014, through April 27, 2014, while working as a radiologist at NRAD Medical Associates, with locations in Nassau and Queens, New York. Authorities found a hard drive that contained patient records, patient billing system dates, NRAD corporate credit card information, corporate marketing materials, and IT information during a search of Kessler’s home, according to the press release.
The Nassau County District Attorney charged Kessler with unauthorized use of a computer, unlawful duplication of computer-related material in the second degree, and petit larceny, according to the press release. NRAD discovered the breach in April and notified HHS in June prior to sending a notification letter to affected patients, according to the press release.
Kessler is due to be arraigned January 6, 2015, and faces up to one year in prison if convicted.
A former South Carolina Department of Health and Human Services (DHHS) employee was recently sentenced to three years’ probation for felony charges associated with unauthorized access to Medicaid records, according to www.govinfosecurity.com.
Christopher R. Lykes, Jr., of Swansea, South Carolina, plead guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy. Lykes emailed a spreadsheet containing the personal information of 228,000 Medicaid recipients to himself in 2012 while employed by the South Carolina DHHS. The spreadsheet listed Medicaid recipient names, dates of birth, addresses, and phone numbers. The spreadsheet also contained the Medicaid ID numbers, which contain Social Security numbers, of approximately 23,000 affected individuals, according to www.govinfosecurity.com.
Lykes allegedly conspired with Toshia Yvette Latimer-Addison to access the Medicaid data. The two were indicted in February 2013, according to www.govinfosecurity.com.
The Connecticut Supreme Court overturned a trial court determination in November indicating that a plaintiff could not file claims for negligence if the underlying cause was related to a HIPAA violation, according to www.ctpost.com.
Avery Center for Obstetrics and Gynecology, P.C., in Westport, Connecticut, received a subpoena for Emily Byrne’s medical records as part of a case involving Byrne and a man who filed paternity actions against her. Byrne had previously instructed the medical office not to release her information to her child’s father, but the medical center did so anyway. Byrne then sued the medical practice for negligence, according to www.ctpost.com.
The Connecticut Supreme Court ruled that a HIPAA violation may be considered a violation of accepted standards of care. This is the first ruling of its kind in Connecticut, although courts in Missouri, West Virginia, and North Carolina have made similar rulings. The Connecticut Supreme Court remanded the case back to a lower court for trial, according to www.ctpost.com.