Major medical records breaches pass 1, 000 milestone as enforcement ramps up

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.modernhealthcare.com/article/20140613/BLOG/306139996

Nearly 31.7 million individuals, a number equal to 1 in 10 people in the
U.S., have had their medical records exposed through known and reported
major data breaches by healthcare providers and their business associates.
With 34 publicly reportable breaches coming in June alone, the total number
of breaches on the federal “wall of shame” website topped the 1,000 mark
this month.

A total of 1,026 breaches have been reported to HHS involving 500 or more
individuals since the federal reporting requirement went into effect in
September 2009 under the American Recovery and Reinvestment Act, according
to the public site kept by HHS' Office for Civil Rights.

In addition, through March 1, 2013, there have been approximately 116,000
reported breaches involving the records of fewer than 500 individuals that
are not individually disclosed, according to the most recent OCR count
available.

But with the industry's ongoing poor security record as a backdrop, there
is evidence that the civil rights office is picking up the pace of its
enforcement efforts.

Jerome Meites, the chief regional civil rights counsel for HHS' office
covering Illinois, Indiana, Michigan, Minnesota, Ohio and Wisconsin,
reportedly told members Thursday of the American Bar Association that
enforcement activities in the year ahead surpass those of the past 12
months, according to a report of the presentation in 360 Law.

Meites is not a member of the OCR staff, but has represented the office in
several high-profile breach settlement negotiations, including cases
brought against drugstore chains CVS and Rite Aid, which combined totaled
$3.25 million.

Meites was speaking as an individual, not on behalf of the civil rights
office or HHS, said OCR spokeswoman Rachel Seeger.

“If you compare last year's to this year's, we have increased our actions,”
Seeger said. “If that's what he was talking about, yes, already you've seen
an uptick.”

Last month, the office reached a record settlement amount for a single
breach case when it negotiated a combined payment of $4.8 million with New
York-Presbyterian Hospital and Columbia University after 6,800 patient
records were exposed to the Internet.

But the focus of the civil rights office in the overwhelming majority of
cases is to achieve compliance, Seeger said.

“If you take a look at the reports to Congress, which we posted this week,
we have investigated over 32,600 (HIPPA complaint) cases (and) over 22,500
of them have closed with corrective action,” Seeger said.

“The majority of these cases are closed with corrective actions that don't
result in these monetary settlements.”

“So, we have these 21 cases that have closed with a monetary settlement,”
Seeger said. Settlement amounts for these 21 cases total $25.1 million.

The civil rights office has reached five monetary settlements a year for
the prior two years, but has four cases already this year, so Meites'
prediction is no surprise, said Adam Greene, a partner with Davis Wright
Tremaine and a former senior health information-technology and privacy
specialist at the OCR.

Greene said there are still “plenty of breaches” being reported, so even
with the vast majority being settled through voluntary compliance, “that
leaves a lot of room for penalties,” he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!