Disk Encryption: Not Using It Resulted In Bankruptcy For Impairment Resources, A HIPAA-Covered SMB?.
Perhaps the following story is the much-needed cautionary tale for SMBs operating under HIPAA / HITECH. According to wsj.com, The Wall Street Journal, Impairment Resources, LLC has filed for bankruptcy as a direct result of a HIPAA breach. It looks like data encryption software such as AlertBoot would have prevented the eventual Chapter 7 bankruptcy, a process where company assets are liquidated.
Details – 14,000 affected
How do I know this is a HIPAA breach?
Company bankruptcy directed tied to HIPAA breach
The sad part of the story is that, per Impairment Resources’ own site, they had set up extensive data protection and encryption measures. They overlooked the most basic, and hence one of the most key, details when it comes to data security: encrypt your patient data at rest.
Details – 14,000 Affected
I first ran across the story at phiprivacy.net, where Dissent mused whether “this [is] a case where a lack of strong encryption was ultimately responsible for a business’s failure.”
And muse is all that one can do, seeing how the details are meager. I did find a site where you can get the actual court documents, but it’s behind a pay-wall (admittedly, at 8 cents a page, it’s a steal; my college library charged 10 cents for photocopies, and that was over ten years ago. But, (a) I don’t know how many pages are involved and (b) I’m leery of giving my credit card details because it looks like they will be stored indefinitely despite this being a “one-time purchase.”)
The bankruptcy documents would be of help seeing how the wsj.com story offers few specific details. But, there is plenty to be known if you’re lucky, and you know where to look.
According to breach notification letters filed with the New Hampshire and Vermont Attorneys General, there was a data breach on December 31, 2011 at Impairment Resources’ San Diego office. A thief or thieves broke into a locked area and stole several items, one of them being computer hardware used to back up Impairment Resources’ systems. It’s not specified what this “hardware” is: an external hard drive? A computer (i.e., an independent server)? Backup tapes?
The sample patient notification letters filed with the AGs state that “it will be difficult for the parties involved in the theft to obtain data from the hardware without specialized knowledge of information technology systems.”
I cannot tell whether this alludes to the use of encryption software, but based on the fact that the company had to notify 14,000 people, I’d deem it unlikely. After all, the process and eventual consequences of notifying 14,000 people of a data breach cannot be cheap, and, under HIPAA / HITECH, an entity has safe harbor from sending data breach notifications if the data is encrypted.
How Do I Know HIPAA Is In Play In This Instance?
I’ve looked up the breach at the hhs.gov “Wall of Shame” but it’s not up there yet. This is probably due to the newness of the incident: the AGs were only alerted in late February. I assume that the Department of Health and Human Services was notified around the same time, and it’s common knowledge that the WoS is not updated in real time.
Despite this “lack of evidence,” I know that HIPAA applies to the situation because of a couple of things. For starters, medical diagnoses, names, and SSNs were breached. The medical data strongly suggests HIPAA governance.
Second, I looked up the Impairment Resources website. Currently, it only has a notice alerting visitors of the bankruptcy proceedings. But, the “WayBack Machine” has a cache of the site as it used to be, and there is an entire page devoted to HIPAA and HIPAA compliance. The page goes as far as describing how Impairment Resources secures data, which is quite unusual. Such information is rarely public-facing.
In accordance with HIPAA, we have established the following measures:
All Impairment Resources, LLC related files and directories are network and user password protected with controlled rights as determined by the administrator of the computer network.
All client related documents are sent to and from computers using SSL 128-bit encryption in addition to further encryption/decryption measures on our site.
Hard copies of documents related to the client/examinee are disposed of using a shredder.
The computer networks are completely firewall protected with SSL encryption and all persons who have access to any sensitive information have the appropriate clearances and have signed confidentiality agreements.
Our network has active security, monitored 24 hours a day, 7 days a week with automated and real time network protection including the use of time tested leading security products (such as virus protection.) [impairment.com via archive.org]
Did you notice how it mentioned strong encryption for data at rest? Neither did I. The people at Impairment Resources thought of vigorously protecting themselves against hackers, but failed to do the same for one of the most prosaic crimes: a break-in. If it weren’t for the fact that it led to the demise of a business and 14,000 people being unnecessarily burdened, it’d be comical.
I don’t know how much thought went into designing Impairment Resources’ data security, but I wonder if they would have left out disk encryption had they been aware that the theft and loss of media storage devices accounts for over half of the breaches reported to the HHS?
Bankruptcy Proceedings a Direct Cause of HIPAA Breach
According to wsj.com, Impairment Resources decided to fold because “the cost of dealing with the breach was prohibitive.” Approximately 14,000 people were affected, as noted earlier. This pales in comparison to the largest HIPAA breach on file (TRICARE, 4.9 million affected).
However, a quick search shows that Impairment Resources was a company with fifteen employees or even less. Whatever the actual employee figures may be, it was undoubtedly a small company. For a small company, dealing with a situation involving 14,000 people means financial hardships. Many figures are tossed around, but my understanding is that $100 per person pertains to the lower end of the cost associated with a data breach.
That means Impairment Resources saw costs of over $1 million associated with this breach. Assuming the cost can be mitigated to 10% of the above, the company still has to shell out over $100,000 in expenses, which would put most small companies out of business overnight.
Plus, Impairment Resources claims that it might have to mount a defense because it “faced the threat of even more debt with customers and individuals threatening to sue it over the privacy breach.”
Data breaches are not pretty. It behooves small companies that fall under the HIPAA / HITECH umbrella to ensure that they are properly protected as far as PHI encryption is concerned, for their own sake as well as the sake of their patients.
Related Articles and Sites: