Washington Hospital Pays $240,000 HIPAA Fine for Security Guards’ Medical Records Access
All reported protected health information (PHI) breaches involving 500 or more people and certain smaller breaches are investigated by the HHS’ Office for Civil Rights (OCR) to find out whether the breach was because of the inability to abide by the HIPAA Guidelines. OCR’s most recent HIPAA enforcement action shows that the issuance of financial penalties is not dependent on the scale of a data breach but on the intensity of the HIPAA violations.
On February 28, 2018, Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial) reported a fairly small data breach to OCR. This 222-bed non-profit community hospital located in Washington state found out that its security guards were viewing the health data of patients even without legit work reasons for doing so. There were 419 health records impermissibly accessed.
OCR’s investigation into the snooping case in May 2018 revealed prevalent snooping on health documents by the hospital’s ER department security guards. There were 23 security guards that utilized their login information to access health files in the hospital’s electronic medical record system without a valid reason. The security guards could look at PHI including names, addresses, birth dates, specific notes associated with treatment, medical record numbers, and insurance details. OCR confirmed that the hospital was unable to apply acceptable and proper guidelines and procedures to abide by the standards, implementation requirements, or other specifications of the Security Rule (45 C.F.R. § 164.316).
Yakima Valley Memorial Hospital opted to resolve the case with OCR and consented to pay a $240,000 financial penalty without admitting liability. It also adopted a corrective action plan to fully comply with the HIPAA Guidelines, which consists of a detailed and extensive risk analysis, the creation and enforcement of a risk management plan to deal with the risks discovered by the risk analysis, revisions to its HIPAA guidelines and procedures, the improvement of its present HIPAA security training program, and an analysis of its relationships with suppliers and third-party service companies to distinguish business associates and to have business associate agreements in case they may not be in place yet.
Data breaches due to present and previous employees impermissibly viewing patient data are a persistent problem across the healthcare sector. Healthcare companies need to make sure that employees could only access the patient data required to carry out their jobs. HIPAA-covered entities should have strong guidelines and procedures to protect patient health data from identity theft and fraud.
This is the OCR’s 6th HIPAA enforcement action of 2023 with a financial penalty. It is the HIPAA enforcement action that OCR announced this month. To date this year, OCR imposed a total of $1,901,500 in penalties to settle HIPAA Rules violations.
FTC Penalizes Genetic Testing Company for Data Privacy and Security Violations
A company based in San Francisco that offers DNA test kits and individualized diet and exercise programs depending on genetic testing is penalized $75,000 by the Federal Trade Commission (FTC) and instructed to improve its data privacy and security procedures. This company is claimed to have compromised sensitive genetic and health information and fooled its customers concerning its data-sharing practices.
1HEalth.io, which formerly used the names Vitagene and Vitagene Inc., is alleged to have not complied with the Federal Trade Commission Act by misleading consumers concerning its data disclosure, data removal, and DNA sample destruction methods. Based on the complaint filed with the FTC, customers were told on the Vitagene web page that the company’s security is rock solid and that personal information is collected, processed, and stored in a responsible, transparent, and safe environment. From 2017 to 2020, Vitagene told individuals that their sensitive health and personal data would just be disclosed in minimal situations, for example with their physician or the laboratory that was doing the screening. Vitagene additionally said to consumers that DNA results are not labeled with names or other identifying details, that DNA samples are going to be disposed of once the analysis is finished, and that consumer personal data is deleted.
Based on FTC, 1HEalth.io made retroactive revisions to its privacy guidelines in 2020, changing its guidelines to say that the company will disclose personal data with third parties for instance supermarket networks; nevertheless, consumers did not receive any notification regarding the change. Any customer that already gave their personal data to the company wouldn’t know that their personal information would be disclosed to third parties except if they personally rechecked the privacy policy of the company. Although the company stated that DNA samples are going to be destroyed, from 2016, there was no policy that called for the laboratories that analyzed DNA samples to dispose of the samples after testing. Because the company didn’t keep a database from 2016 to July 1, 2019, it cannot search its cloud storage to carry out the data deletion requests of consumers.
The FTC additionally confirmed that its security protocols put consumer information in jeopardy. Consumers’ health information was saved in an Amazon S3 bucket that could be viewed online. Approximately 2,400 health data were saved in the bucket, and those records contained the raw genetic information of about 227 consumers, and in certain instances, those records additionally contained the first name of the consumer. The information wasn’t encrypted. There were no access controls. Access records weren’t maintained and checked. The company has been notified concerning the compromised information about three times in two years since 2017 but did not take action to protect the S3 buckets until a security researcher reported the data exposure in June 2019.
Besides the financial penalty, 1HEalth.io is forbidden from disclosing consumer information with third parties without first getting positive consent and should enforce an extensive data security program that tackles all security inadequacies laid out in the FTC complaint. 1HEalth.io should also have a qualified, objective, third-party expert evaluate its data security program within 180 days, and once in two years after that for the following 20 years.
Although 1HEalth.io consented to resolve the case, it did not agree with a lot of the FTC’s findings. “The Vitagene application was developed at the beginning of 2016. In 2016 a contract test engineer was employed to check the application remotely. The contract test engineer stored some client data records on an open Amazon S3 bucket which did not comply with the security guidelines of the company. A white hacker discovered these files in 2019 and reported them to Vitagene. About 3754 total files in the S3 bucket were exposed to the public. After its internal investigation, it could see under 3000 clients from 2016 to 2017 had their data potentially exposed to the public. There was no record of such compromise even if the files were not secured and could have been accessed. All customers had been notified and given free identity protection for one year. There’s no consumer complaint received from this occurrence in the last 6 years.
1HEalth.io additionally remarked that the FTC investigated the case for 5 years before issuing a $75,000 penalty on a startup firm with less than 20 workers, although data breaches at clinical lab networks like Quest Diagnostics and LabCorp have not been penalized, even if those breaches were because of security failures that compromised the sensitive information of millions of people.