It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to “implement appropriate administrative and technical safeguards” required by HIPAA when it left an online application database unsecured and exposed the electronic protected health information (“PHI”) of more than 600,000 individuals. WellPoint self reported this issue when it submitted a breach notification required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This breach highlights the importance of ensuring that PHI is secured when system updates are performed.
The WellPoint settlement is just the latest in a long line of breaches reported by HHS. Section 13402(e)(4) of the HITECH Act requires HHS to post a list of breaches of unsecured PHI affecting 500 or more individuals. Iliana Peters with HHS’s Office of Civil Rights (“OCR”) informed members of the American Bar Association recently that as of July 1, 2013 there have been 627 large breaches reported in the following categories:
• Theft. More than half of these breaches result from theft (mostly of a computer or laptop). Employees should be reminded to not leave laptops unattended in their vehicles, and PHI on these devices should be secured and encrypted.
• Unauthorized access. The second most popular activity resulting in a breach is unauthorized access, which comprises 20% of breaches. A recent small, but newsworthy, breach of unauthorized access was reported when six employees were fired from Cedars-Sinai Medical Center for snooping in Kim Kardashian’s medical record after she gave birth. Employees should be reminded that access to medical information is on a need to know basis only, and that snooping is not permitted—even when “keeping up with a Kardashian.”
• Loss. Twelve percent of large breaches involve loss of PHI. These incidents typically involve loss of a laptop or thumb drive.
• Hacking/IT Incidents. Although most organizations fear hacking, it is not the largest risk for a data breach. Only 8% of large breaches involved hacking.
• Improper Disposal. Improperly disposing of PHI made up 5% of large breaches.
• Unknown. The root cause is unknown for 3% of breaches.
Ms. Peters also said that there have been more than 81,000 smaller breaches (those involving fewer than 500 individuals) reported to OCR.