Massachusetts Eye and Ear is facing serious repercussions following charges that it failed to meet Health Insurance Portability and Accountability Act (HIPPA) data protection standards. The organization recently announced that it would pay a $1.5 million fine after an investigation conducted by the U.S. Department of Health and Human Services (HHS).
"The agreement with HHS requires Mass. Eye and Ear to enter into a Corrective Action Plan (CAP), which includes risk assessment, the review and revision of policies and procedures and the provision of training to our staff," Massachusetts Eye and Ear said in a statement.
Mass. Eye and Ear insisted that it had already started taking action paced on the action plan and promised it would continue collaborating with HHS to protect sensitive patient information. The original incident could have been avoided by following best practices with regard to stored data.
The investigation into Mass. Eye and Ear began after it reported a data security incident involving an employee's stolen laptop. InformationWeek columnist Michelle McNickle noted that it was not entirely the lack of encryption that led to the fines, but the failure to conduct a proper risk assessment regarding patient data. Chad Boeckmann, president at security program company Secure Digital Solutions, told InformationWeek that the issue revolves around being proactive with regard to mitigating security risks. Boeckmann also said that an investment in effective encryption technology would likely have only cost one-tenth of the non-compliance fine.
Medical records held hostage
The risk of identity theft is cause enough for concern when it comes to medical data breaches, but the reality of situation could be much more severe. Bloomberg blogger Jordan Robertson highlighted an incident in which patients' electronic medical records (EMRs) were stolen and held hostage. Hackers targeting the Surgeons of Lake County, a medical facility in Illinois, broke into a server that stored both emails and EMRs. Rather than simply copy the data, the cybercriminals encrypted it and demanded a ransom from the facility in return for the password to access the information.
Robertson also noted that the Lake County attack was not an isolated issue. Several other data security incidents at healthcare organizations have resulted in similar ransom demands.
"One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008," Robertson wrote. "Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum."
Data Security News from SimplySecurity.com by Trend Micro