Not exactly one of the more unusual HIPAA breaches I’ve come across, but one that does make me question, once more, whether not using HIPAA encryption like AlertBoot is a wise move: the OCR may decide that there wasn’t a breach of HIPAA, but is it really worth going through the process?
According to phiprivacy.net, ENT Partners of Texas sent a HIPAA breach notification letter to 789 patients because burglars made off with two laptops containing PHI, protected health information: names, audiology test, and dates of birth (possibly), CT scans, and healthcare information associated with the latter (the two laptops were used for different purposes).
All in all, it’s not information so private that people would line up to sue them; on the other hand, I’ve noted in the past that such information could be used indirectly to perpetrate fraud if one set his (or her) mind to it. For example, one could call up people, claim they’re a hospital rep, and note that something was wrong with the insurance form for their audiology test from a particular date. That’s already three things that match up (location, date, and “ailment”), and is an important first step in establishing trust. What happens after that to con people is up to one’s imagination.
How the HHS’s Office for Civil Rights – which is charged with investigating HIPAA breaches – decides to treat this data breach is up to them. I’d probably give them a pass because the burglars had to break “through a locked metal exterior door and a locked interior office” (this is a far cry from a car being broken into) and the data is not as sensitive as it could have been. Of course, an investigation could reveal that there are significant data security problems at ENT Partners of Texas, but so far, it doesn’t sound like it.
Post-Breach Cleanup Technology
Plus, consider that ENT Partners of Texas contacted their IT provider who changed all the passwords and “if the laptops connect to the internet, [they] may be able to erase the data.” A covered entity that hasn’t thought about the Security Rule wouldn’t have such contingency plans in place to begin with.
These post-breach data security solutions depend on an internet connection to work, though. But that’s not even the biggest disadvantage, in my opinion. The biggest problem to these solutions is that, from a HIPAA point of view, the breached entity (ENT Partners in this case) does not gain any advantage from them.
Unlike encryption software, changing passwords and remote deletion do not give a HIPAA covered entity safe harbor from reporting the breach to the media, affected patients, and the HHS/OCR. And this means that the OCR will investigate the matter; the media will be alerted, possibly affecting the entity’s standing in its community; and that patients may, rightly or wrongly, decide to take legal action. They’d probably lose, but attorney services don’t come for free.
A whole lot of expenses, time, and headaches would have been excised from the onset had full disk encryption been used. It’s not a silver bullet, of course. But when you consider that it can cost as little as $79 per year, I can’t see why anyone would object to its use.
Related Articles and Sites: