Last week, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

According to OCR, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. The health system also failed to regularly review records of information system activity for its applications that maintain electronic PHI and which are accessed by workforce users and users at affiliated physician practices. To make matters worse, the health system failed to review the audit information despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

While hacking incidents typically garner more media coverage, this case highlights the increasing threat posed by those inside a HIPAA-regulated organization. According to a Protenus report, nearly 60% of the breaches that occurred this past January involved insiders. Organizations would be well-served by reviewing recent OCR guidance on the importance of audit controls.

Originally posted in Mintz Levin’s Health Law Policy Matters

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation.  Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies – both civil and criminal – that are available to recover stolen data and compensate for its loss.   Nearly 100 participants joined us for this webinar.

For those who missed the webinar, some of the key takeaways include the following:

  • Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company’s finances and future.  They target customer data, intellectual property, future business plans and embarrassing skeletons.
  • Insiders are not hackers and traditional technology based barriers to outside hackers don’t stop them because the insider is entitled to be in the network and have authorized access to the data.
  • Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomalous conduct.
  • Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact.  Where employees are aware that indicators of insider attacks are being watched, there is less likelihood that attacks will occur.
  • The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies.  State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
  • Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.

For a recording of the webinar, click here.

The next webinar — the fourth in our Mintz Levin Privacy Series —  EU Data Protection for US Companies, will discuss the issues faced by US companies who do business in Europe or simply interact with European customers.  We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply.  We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016.  The webinar will be presented by Susan Foster, a member in our London office, who is qualified as a solicitor in England & Wales as well as an attorney in California.

Sign up here to attend.

 

“Responding to Insider Data Theft & Disclosure”

Morgan Stanley

AT&T

Vodafone

What do these companies have in common?  They were all victims of insider data theft. 

The third presentation in our popular Wednesday Webinar series is coming up on Wednesday, March 25th.   Our presenters, Jonathan Cain and Paul Pelletier,  will offer practical advice about responding to data theft and disclosure by employees and former employees.  They will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement.

Join us Wednesday, March 25 at 1:00 pm ET/10:00 am PT.  Register here.

MCLE credit is available in New York and California.