Archive for HIPAA Violations
Indiana Attorney General Greg Zoeller recently reached a $12,000 settlement for HIPAA violations with a former dentist accused of improperly disposing of medical records, according to Legal Newsline.
The Indiana Board of Dentistry revoked Joseph Beck’s license to practice in Indiana over allegations of negligence and fraudulent billing practices. More than 60 boxes of medical records of patients treated by Beck from 2002 to 2007 were found in an Indianapolis dumpster in 2013, not long after his license was revoked. The boxes contained the PHI of more than 5,600 patients including full names, phone numbers, addresses, and Social Security numbers, according to Legal Newsline.
Beck allegedly hired the third-party vendor Just the Connection, Inc., in Carmel, Indiana, to dispose of the records, according to Legal Newsline.
The St. Louis County Health Department recently discovered that a document containing PHI was emailed to the personal account of a former employee, according to the St. Louis Post-Dispatch.
The document listed names and Social Security numbers of inmates treated at Buzz Westfall Justice Center in Clayton, Missouri, from 2008 through 2014. The St. Louis County Health Department instructed the former employee to delete the document. The department did not identify the former employee by name, but said she resigned in November 2014 after being employed by the department for 25 years. The former employee held a clerical position and her duties involved verifying medical claims information for inmates, the St. Louis Post-Dispatch reported.
The health department notified authorities and affected patients of the breach, although there is no indication that the information in the PHI in the document was misused. The department is taking precautions to ensure an incident like this will not occur again. It will continue conducting annual HIPAA training, according the St. Louis Post-Dispatch.
Northwestern Memorial Healthcare in Chicago recently notified 2,800 patients of a breach that occurred when a password-protected, unencrypted laptop was stolen from an employee’s vehicle, according to a notice on the health system’s website.
The laptop may have contained the following patient information:
- Dates of birth
- Health insurance information
- Billing codes
- Dates of service
- Physicians’ names
- Medical record numbers
- Treatment information
In some instances, patients’ Social Security numbers may have been listed. The health system learned of the theft the date it occurred, October 21, 2014. It began sending letters to affected patients December 19, 2014.
The employee who had been in possession of the laptop contacted law enforcement officials after learning of the theft. The health system subsequently began its own investigation, according to the notice.
Clay County Hospital in Flora, Illinois, received an anonymous email November 2 from someone threatening to release PHI to the public if the hospital did not agree to a ransom, according to a press release.
The email contained the stolen PHI that the sender threatened to release. The sender obtained names, addresses, Social Security numbers, and dates of birth of patients treated at Clark County Hospital clinics prior to February 2012, according to the press release.
The hospital launched its own breach investigation, notified law enforcement, and began notifying all affected patients after learning that the PHI of its patients had been compromised. The investigation revealed that the hospital’s servers were not hacked, although the hospital plans to strengthen its security measures by implementing additional logging and auditing systems, according to the press release.
The Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release.
OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.
The resolution agreement states that ACMHS failed to:
- Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
- Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
- Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012
In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:
- Provide an updated version of its security policies and procedures
- Adopt a revised version of OCR-approved security policies and procedures
- Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
- Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures