Sometimes, data security compliance is a tough business not because of what you do or do not do, but because of what others do or do not do. For example, business associates (BAs) to HIPAA-covered entities can be something of a nightmare. Just ask Saint Barnabas Health Care System: they just reported another data breach because HIPAA encryption was lacking on an external hard disk drive.
MedAssets, Inc. Loses External HDD
According to the public announcement by Saint Barnabas, a business associate (MedAssets) that provides revenue management and supply chain services lost an external drive on July 1, 2011. The data storage device was stolen from an employee’s car, and affects 82,000 patients at 6 hospitals. Encryption software was not used
Information included (barnabashealth.org):
Medical Center account number, medical record number, date of birth, Medical Center charges incurred, amounts paid to the Medical Center, information on health insurance, eligibility for applicable governmental benefit programs and/or Medical Center admission and discharge dates. Social security numbers were included for about seven percent of the affected patients. The hard drive did not include any patient addresses, other financial information, or any clinical information regarding the patient’s care.
According to phiprivacy.net, the six hospitals that were affected were:
Clara Maass Medical Center (8,795 patients)
Community Medical Center (6,950 patients)
Kimball Medical Center (6,785 patients)
Monmouth Medical Center (6,443 patients)
Newark Beth Israel Medical Center (15,015 patients)
Saint Barnabas Medical Center (6,179 patients)
Saint Barnabas goes on to mention that MedAssets has promised to eliminate the use of unencrypted external drives for backup purposes. Seeing how that particular promise is so specific, it appears that the above case involved…an unencrypted external drive that was used for backup purposes.
It is seriously mindboggling how some people don’t put their thinking caps on. Let us assume that MedAssets already had a policy, as a BA, of encryption any and all laptops that were carrying sensitive data (which they should have. I mean, that’s the HIPAA recommendation, as far as I can tell). Let us also assume that the BA was able to do this successfully. Why the heck would they not include any external storage devices — be it for backup purposes or other — out of the equation?
While I’ll take a promise, any day, to encrypt external hdds over not doing anything, it seems that this really shouldn’t be a promise that needs to be made.
Also, I have to wonder if this is something that happened due to an oversight on Saint Barnabas’s part. HIPAA and HITECH recommendations take a top-bottom approach: because any PHI data breaches on the part of BAs (MedAssets, e.g.) become the responsibility of the HIPAA covered-entities (Saint Barnabas, e.g.), it is believed that the covered-entities will basically hammer out an agreement where the BAs promise to properly protect patient data.
So went wrong here?
Related Articles and Sites: