Boston teaching hospital fined $1.5M for ePHI data breach

A teaching hospital for Harvard Medical School and an associated medical practice have agreed to pay a $1.5 million fine in a breach of patient protected health information (PHI), the U.S. Department of Health & Human Services announced Monday.

HHS' Office of Civil Rights (OCR) investigated Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. after it reported the February 2010 theft of a laptop computer holding unencrypted data on 3,621 patients and research subjects, according to HHS and a report by Health Data Management.

The 41-bed Boston hospital, which says it is the world's largest vision and hearing research center, reported the theft to HHS as required under the Health Information Technology for Economic and Clinical Health Act (HITECH) breach notification rule.

OCR found that hospital and practice officials failed to conduct a thorough analysis of security risks on portable devices, take measures to ensure the confidentiality of PHI on portable devices, or properly restrict access to PHI to authorized users of portable devices, according to HHS. The "failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the security rule," the agency said.

"In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices," OCR Director Leon Rodriguez said yesterday in a statement. "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."

Massachusetts Eye and Ear signed a resolution and corrective action plan agreeing to review and potentially revise its security plan with approval from HHS, and to adopt any additional changes required by the agency. An independent monitor will assess compliance and report semiannually to HHS for three years.

According to Health  Data Management, other major fines for security breaches include $4.3 million to Cignet Health, $2.2 million to CVS/pharmacy, $1.7 million to the Alaska Department of Health and Social Services, and $1.5 million to Blue Cross and Blue Shield of Tennessee.

The loss of laptops containing protected health information has been a major security problem.

In July, a laptop containing back-up media for the computer server of Indianapolis-based Cancer Care Group was stolen from an employee's vehicle, including detailed personal, medical and insurance information on 55,000 patients.

Also in July, the University of Texas M.D. Anderson Cancer Center in Houston announced a medical student trainee lost an unencrypted thumb drive containing information on 2,200 patients on an employee shuttle bus.

It was the second data breach of the year for M.D. Anderson. Data on more than 30,000 patients was lost in April when a laptop was stolen from a faculty member's home.

The security risk is so significant that the Florida-based accounting and consulting firm Kaufman Rossin & Co. recently issued a white paper recommending against storing PHI on portable electronic devices, thumb drives, CDs and other easy-to-lose items.

The paper, "HITECH Act Three Years Later: Are Health Records Safe?", noted that 407 security breaches in 2010 and 2011 compromised the PHI of 19.1 million people.

To learn more:
- see the HHS announcement
- read the Health Data Management account
- here's the resolution agreement (.pdf)