Northwestern Memorial HealthCare (NHMC) – which counts as affiliates Northwestern Lake Forest Hospital, Northwestern Memorial Hospital, and Northwestern Medical Group – notified approximately 2,800 people of a data breach. A laptop computer that was not protected with HIPAA-strength encryption was stolen from an employee’s vehicle. According to chicagotribune.com, the hospital group took more than 2 months to notify patients, which puts them in breach of the HIPAA/HITECH Breach Notification Rule.
Based on the description of which hospitals comprise the Northwestern Memorial Healthcare group, it sounds like we’re talking of an extensive organization. A big medical organization that cannot afford to be found lax when it comes to patient data security… and a look at their 2014 financials confirms it: with over $700 million total current assets (and $5 billion in total assets), it’s kind of hard to think of NHMC as a mom-and-pop store.
Which is why the words “password protected” really shouldn’t be keywords that pop out when an article is being written about this medical covered-entity’s data security practices. Granted, password protection has its uses – but not when it comes to stolen or lost laptops with PHI. To begin with, getting past password protection is easier than you think (and easier to find on the internet than you think).
Second, password protection does not afford legal protections (again, probably because it doesn’t offer real, physical protection) that can be very beneficial for an organization that is constantly facing the risk of a lawsuit, which is an oft-discussed professional hazard in the medical field. At least in the US.
Last but not least, and an extension of the above, it can also lead to regulatory bodies to spring into action.
Obviously, password-protection is not something you want to boast about. “Yet unencrypted” was this lost laptop, according to chicagotribune.com. Not good, when you consider that,
the computer contained patients’ names, addresses, dates of birth, health insurance information, billing codes, date of services, physician’s names, medical record numbers, diagnosis, treatment information and, “in select limited instances,” social security numbers
60 Calendar Days
Another point the venerated newspaper brought to light is that “hospital officials waited nearly two months to release information about the breach”…although in the “sharelines” section at the top of the article, it is noted that “Hospital group waited more than 2 months to notify patients about stolen computer containing private data” (my emphasis).
Which one is it? My own calculation shows that it’s the former, that it took less than 60 days. But I’d have been willing to bet that this was the case even without bothering to make a calculation. Why?
Because HIPAA/HITECH regulations specify that data breach notifications must be made within 60 calendar days of the breach’s discovery (there are a handful of exceptions). Otherwise, you have another breach of HIPAA – the loss of sensitive data plus the non-notification to the patients. And as case studies over the last four years show, you don’t want to be in a position where you’re breaking HIPAA laws left and right.
And a $5 billion concern knows this – and has lawyers to remind them of the fact.
Borderless Encryption Management
Chances are that the covered-entity’s policies require crypto-safety, either because it’s a laptop that regularly stores PHI or because it is a laptop, period. So, considering the above, how is it that this particular laptop was not encrypted?
It could be that IT is decentralized among the three hospitals, meaning that problems arise with personnel transfers; reusing, retiring, and recycling inventory; etc. Or perhaps IT is centralized, and the logistics of keeping track of everything is close to impossible. Or perhaps this was a personal computer belonging to the employee. Your guess is as good as mine.
Chances are we will find out a couple of years from now, when the HHS/OCR finishes their study into the situation.
Related Articles and Sites: