HIPAA Enforcement

By Kim S. Nash Print this article Print

Providence Health & Services lost information on 365,000 patients—after 10 backup tapes and disks were stolen from the back of an employee's minivan. Now, 12 months and $7 million later, the health-care provider remains mired in the aftermath. Here's

: A Wrist Slap">

HIPAA Enforcement: A Wrist Slap

When someone suffers credit card fraud, he or she can seek recourse through the Fair Credit Reporting Act, which provides safeguards such as the right to demand correction of their credit records.

Victims of medical theft aren't so lucky. Patient data is supposed to be protected by the Health Insurance Portability and Accountability Act (HIPAA), which regulates patient privacy and security all along the health-care chain, from a paper file sitting on a doctor's desk to a computerized medical records database. But violators of HIPAA have little to fear. Since the privacy rules went into effect in April 2003, there have been four prosecutions and no fines. A survey this summer by the Healthcare Information and Management Systems Society reports that 22% of health-care providers remain out of compliance with HIPAA privacy, and 44% with HIPAA security.

HIPAA is "pretty much a no-enforcement system," says Peter Swire, a law professor at Ohio State University and the White House coordinator for the HIPAA privacy rules during the Clinton administration. "Imagine some other area of law you care about and 20,000 at-bats and zero hits," he says, comparing the number of complaints—more than 23,000—with the number of fines.

Confidential medical information has become so available that in the last 10 months, patient records, documents on insurance benefits and passwords to medical server systems have turned up online, according to Howard Schmidt, a former cybersecurity adviser to the Bush White House who now runs a consulting company, R&H Security Consulting. He says targeted searches for keywords such as "hospital records" and "medical passwords," as well as for other sensitive information, are being conducted over peer-to-peer networks, which people use to share music and videos and sometimes, by accident or malicious action, their entire hard drives. Both medical and financial information are being aggregated and sold online, he says, although he doesn't know how buyers use the underground information.

In the Providence case, the patients' lawyers say they are right to feel afraid. In failing to protect their data, Providence violated the privacy of the doctor-patient relationship, a rule established in common law that goes back hundreds of years, said plaintiff attorney David Sugerman at the hearing last month. "Given the egregiousness of their handling of confidential patient information and the widespread impact of their conduct, you could argue it was reckless and even intentional," he told Judge Litzenberger.

In February, after Providence conducted an internal review of the theft, it issued a press release announcing that "four employees have left employment with Providence Health System." Spokesman Gary Walker won't name the employees or explain why they are gone. But Steve Shields, the systems analyst who took the disks and tapes home and later reported them stolen, says he is one of them. Reached at his home, Shields says he was fired but can't discuss his case right now. "There's a lot about Providence that hasn't come out yet," he says.

Many of the details of what happened at Providence are under seal in documents at the courthouse. However, O'Brien maintains that the Oregon region's Home and Community Services unit, where the backup disks and tapes were made and where Shields worked, ran "a rogue I.T. department," where some practices, like taking backup data home, violated Providence's corporate policies. And on that December night, one Home and Community Services employee left those backups, with their unencrypted private data, vulnerable.

Now so are 365,000 of Providence's customers. Now so is Providence.

Organizations like Providence that lose sensitive data can never really know when their liability or the damage to their reputations will end, since identity theft and related crimes may be committed months or years after the data went missing. Kroll's Allen says new issues have been popping up at one of Kroll's breached clients for five years. Either creditors have failed to correct the victims' records, or the stolen data keeps getting resold and reused.

"Once your information is out there, you can't get it back, unless you're really, really lucky and someone gets arrested," he says. He believes the "vast majority" of data breaches, which are mostly thefts or breaches of policy like the one at Providence, aren't reported because companies are still learning to recognize and track them: "Only in the last couple of years has a lost or stolen laptop been considered a breach."

Without a handbook to deal with data-breach problems, technology managers must learn from each other. And there are a number of cases to learn from. At least 184 companies have reported exposing customer information in the past year, when their computers, disks or tapes got stolen or lost or their internal systems got hacked, according to the Privacy Rights Clearinghouse, a consumer advocacy group in San Diego that tracks data breaches. Fifty-five of those were U.S. health-care organizations, up from 11 in 2005.

"There's a myth that companies know what's happening to their data," says Alan Paller, director of The SANS Institute, a security researcher in Bethesda, Md. "You can't stop the data from getting out. You just can't."

Fraud scams, hacking, carelessness, and weak privacy and security protection have compromised patient data across the country.

As an example, at a Cleveland Clinic facility in Weston, Fla., federal prosecutors allege that a receptionist, Isis Machado, printed data on 1,100 patients and gave it to her cousin, Fernando Ferrer Jr., who provided it to others who fraudulently billed Medicare for $2.8 million this year and last. The cousins were indicted in September for conspiracy, computer fraud and violating HIPAA, among other crimes. They pleaded not guilty and await trial.

At Medco Health Solutions, the $38 billion prescription drug benefits manager in Franklin Lakes, N.J., the Social Security numbers, birth dates and prescription records of 4,600 Ohio state workers were compromised last December. Ohio's Department of Administrative Services announced in February that the data, unencrypted, was on a laptop stolen from a Medco employee's house.

In what may be the biggest patient-data breach to date, various offices of the U.S. Department of Veterans Affairs in the past year reported four separate laptop thefts, as well as the loss of a backup tape, a disk drive and three compact discs. The VA says no full electronic health files were lost, but these incidents have jeopardized private information, including disability ratings and insurance claim data, on more than 28 million military veterans and active-duty personnel. The VA has since spent $3.7 million to hire a consulting firm to encrypt all of its computers. Two laptops and the drive resurfaced, and the VA says tests by the Federal Bureau of Investigation show the data on them wasn't accessed.

Providence's disks and tapes, however, are still out there. They could be in a dumpster or at the bottom of the Columbia or Willamette rivers, which flow a few miles from O'Brien's office. They could have been offered for sale on the information black market, which happened to Sentry Insurance this year. The company announced in July that a contractor working for it in Stevens Point, Wis., was indicted for, among other data-theft crimes, trying to sell the private data of 36,000 Sentry customers to an undercover U.S. Secret Service agent for $25,000.

"I've not seen anyone brazen enough to offer medical information online to the highest bidder, although I'm sure we're not far from that," says Karen Spangenberg, chief of financial crimes at FBI headquarters in Washington, D.C. "We believe that on the horizon there's a crime wave of health-care fraud, identity theft and cybercrime."

Next page: December 30: No Holiday for Data Thieves

This article was originally published on 2006-12-06
Senior Writer
Kim has covered the business of technology for 14 years, doing investigative work and writing about legal issues in the industry, including Microsoft Corp.'s antitrust trial. She has won numerous awards and has a B.S. degree in journalism from Boston University.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.