The loss of seven CDs means a medical data breach for over 130,000 people who’ve visited Lincoln Medical and Mental Health Center in New York. The CDs were not protected using disk encryption software, a terrible move, since this seems to qualify as a HIPAA breach.
Biller Causes Problems
The information that was breached, sometime between March 16 and March 24, included protected health information as well as personal information:
“…name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly a driver’s license number if provided.” [computerworld.com]
Lincoln, as the “owner” of the data, was responsible for ensuring the safety of the data, and hence the notification letters on their letterhead. In reality, the breach was set off by Siemens Medical Solutions USA (Siemens), the billing and claims processor for Lincoln.
It was Siemens that had shipped the seven CDs (although, one would have been enough. These were “seven duplicate compact disks,” so I assume that the contents on all seven were the same). When they shipped the CDs to Lincoln, Siemens opted to use password-protection vs. something more secure like managed data encryption.
Which is unbelievable. As a medical billing company (their name is Siemens Medical Solutions USA, and they were working as a claims processor), they must have known that they need to comply with HIPAA regulations since they are a HIPAA-covered entity.
While HIPAA has never required encryption (the latest HITECH updates to HIPAA still don’t make encryption a requirement), it does make a point of having any covered entities consider it first and set it aside if there are other adequate security measures.
Last time I checked, a FedEx envelope doesn’t come with such security measures. So what’s Siemens doing sending this stuff without the proper protection in place?
Both Parties Foster A Weak Security Environment
I’m assuming that sending the information in unencrypted format was not a one-time mistake because that would be one heck of a coincidence: CDs are lost the one time someone sends unencrypted PHI? No way.
The more probable situation is that Siemens always sent these weekly shipments to Lincoln in an unencrypted form. Which means the blame for the breach falls squarely on both, since Lincoln had a chance, on a weekly basis, to request the information be sent the right way. Right?
Maybe. The problem with password-protection is that it looks, in many cases, exactly like encryption to the enduser: there’s a password-prompt. In other words, the persons who received the CDs couldn’t be blamed for reasoning that they were dealing with
unencrypted patient information.
A Better Method of Communicating
Lincoln’s notification letter ends noting that they’ve stopped the transportation of CDs from Siemens, and that they’re looking into a “more secure manner” to receive the information.
If there are any significant holes in their process, well, go ahead and update it. But if not (I mean, with the exception of sending unencrypted PHI), significant changes may actually introduce new weaknesses.
I might be a little biased in what I’m suggesting here, but why not just use encryption before burning the information onto the CDs? It keeps the billing process identical to what they had before. You just need to have someone at Siemens use an encryption package like AlertBoot instead of whatever they’re using now to create password-secured CDs.
Related Articles and Sites: