Yet again a tree fell down in the health IT forest and it didn’t make a sound.
But it should. One of the worst fears about health IT has been realized, and it’s probably just the tip of the iceberg.
Boston-based Codman Square Health Center reported to the Department of Health and Human Services last month that an employee of an outside vendor obtained unauthorized access to the health information exchange (HIE) in which Codman participates by using an employee’s access credentials, HealthcareInfoSecurity.com reported recently. The HIE, New England Healthcare Exchange Network (NEHEN), serves providers and plans throughout the region. Codman acknowledges on its website that the information accessed included names, addresses, dates of birth, gender, medical services, payer information, insurance information and possibly Social Security numbers. In other words, yet another major breach.
But this one is potentially more significant than our garden-variety breaches and deserves more attention than what it has received--because of the nature of the breach itself.
Most discussions about the vulnerability of patient data held by an HIE relate to the actions of the HIE as a business associate under HIPAA to the covered entities supplying the information, which the HIE handles on their behalf. The concern is that the business associate makes an error, causing the breach and exposing the records.
That's not what happened here. NEHEN’s records were compromised by a third party, evidently in cahoots with or taking advantage of at least one employee of one of the covered entities providing records to NEHEN. Ouch.
But it gets worse.
Had the breach been limited to Codman’s own patients, it would have affected only 140 people. The vendor here also impermissibly accessed the records of 4,000 other patients in the HIE, a huge difference, and one that catapulted the breach into higher-stakes, HHS-Wall-of-Shame territory.
Then there’s the problem of how to comply with HIPAA’s breach notification requirements. HIPAA requires a covered entity to notify affected patients of a breach of their health information, and provides various alternative methods to do so. However, the law contemplates that since they are the entity’s patients, that the entity has some patient contact information in the record, even if it isn’t current. At least it’s a starting point.
Codman doesn’t have that luxury. It doesn’t have all patient contact information, since most of the affected patients aren’t Codman’s. Codman itself states that “ All patients of Codman Square Health Center who are affected will be notified by mail. ... For affected individuals who are not Codman patients, those directly affected will be notified by mail if contact information is provided.”
That means that patients may never know that they were victims of this breach.
Moreover, this incident raises a host of more disturbing questions:
- Will patients be less likely to agree to allow their records to be part of an HIE? And should more HIEs adopt “opt-in” provisions so patients don’t end up in an HIE by default because they didn’t “opt-out”? Will they be more likely to withhold information even from their own providers?
- Will providers be more leery of providing patient information to an HIE because of the security risk, and less likely to trust the patient information they’re accessing?
- Are the current methods of protecting data being held by an HIE sufficient?
- Who should handle the breach of data? Here, it was Codman which was at fault. But Codman admits it may not be able to notify everyone. What should be done when data from more than one provider or plan is compromised? And what if it were intermingled, so tracing back the source is more difficult?
- And perhaps most importantly, what does a breach like this say about HIEs themselves and interoperability? If the integrity of an HIE can be compromised this easily, are HIEs the best avenue for data sharing?