Does anyone know the #1 reason for a PHI data breach?
That’s right, a lost or stolen storage device that is not encrypted.
Follow on question: what is the only Safe Harbor for a lost or stolen storage device?
So, the worst offender is an un-encrypted storage device, yet one of the easiest things you can do to prevent a data breach is to encrypt your laptop or portable hard drive.
I love to read the excuses and attempts to downplay these breaches, here are some given by Emory President John T. Fox, with my follow on:
“John T. Fox, president and CEO of Emory Healthcare, said at a press conference Wednesday that the discs were not obtained through ‘hacking’ of the Emory system,” writes The Atlanta Journal-Constitution’s Carrie Teegardin.
Ok, the system wasn’t hacked, that is a plus, but the discs where still lost or stolen and data was still on them, so that is bad
“He insisted … the disks are old and can only be read on an out-of-date system that requires special training,” writes CBS Atlanta’s Elizabeth Klynstra and Christopher King. “There is no evidence the missing information was stolen or misused, he said.”
Weak. The only Safe Harbor is full encryption, not “…an out-of-date system…”. The street value of that data is such that someone who can read the discs will be found.
“Based on an internal investigation, Emory Healthcare officials believe the disks were removed sometime between Feb. 7 and Feb. 20,” writes WSBTV’s Erica Byfield. “Fox said the employee who had the information did not properly secure it but will not face any disciplinary actions.”
Hmm, the employee who violated a federal regulation won’t be disciplined? HIPAA fines allow no only the business but the employee to be fined…and this is not up to Emory.
“All affected patients will be provided access to identity protection services, including credit monitoring, at Emory’s expense, he added,” writes Atlanta Business Chronicle’s Urvaksh Karkaria. “Patients are being informed through letters delivered to their homes.”
This is at least somewhat helpful…and the minimum expected.
“Last year, in a much smaller case, an Emory orthopedic clinic reported an incident in which about 80 patients had their personal information stolen,” notes Public Broadcasting Atlanta’s Jonathan Shapiro.
So Emory has a track record of breaches…this is not good.
The big picture here is, Emory is screwing up and making excuses. As a large “business” it is easier for them to do this.
If you had a breach at your practice, you would be eaten alive by local news. Your local reputation would get destroyed, which could easily lead to your practice being destroyed.
What’s the answer? Be HIPAA compliant. Get over the idea that “the government makes me do it” and think of HIPAA compliance as Risk Reduction to you and your business.
Once you do this, the HIPAA pill is much easier to swallow.