A Tiny Storage Device Causes Big Privacy Breach
A Massachusetts dermatology practice learned the importance of protecting patient records after a federal investigation determined the business lost control of thousands of private medical documents.
When a complaint was made to the Office for Civil Rights (OCR), the Department of Health and Human Services’ investigative agency, that a thumb drive had been stolen from a car owned by a Adult & Pediatric Dermatology (APDerm) staff member, investigators knew the results could be devastating to patient privacy. The thumb drive contained the electronic protected health information (ePHI) of 2,200 patients.
APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.
Privacy Breach Caused By Non-Compliance
The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
“As we say in health care, an ounce of prevention is worth a pound of cure,” said then-OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
Breach Notification Failure Costs Are Huge
Following the investigation, APDerm agreed to pay $150,000 to settle the violation and participate in a federally monitored corrective action plan. APDerm agreed to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
Do you have a plan to manage all of your organization’s hardware containing ePHI, including laptops, mobile phones, thumb drives, and portable hard drives? If not, we’re here to help.