Healthcare News & Insights

Lessons learned from 3 recent HIPAA breaches

Many organizations don’t realize they’re making dangerous IT security mistakes until i’s too late. However, here are three recent data breaches that hospitals should learn from: 

stealing dataSkipped risk assessments

Many hospitals don’t fully understand their requirements under HIPAA, according to a recent analysis of audits performed by the U.S. Department of Health and Human Services (HHS). And one of the regulations they have most trouble following: the requirement to conduct a regular assessment of their own security and privacy risks.

The failure to do that got one hospital in trouble recently. Idaho State University has agreed to pay $400,000 to settle allegations of HIPAA violations stemming from a data breach at its Pocatello Family Medical Clinic.

After information about 17,500 patients was breached, HHS investigated and discovered that the clinic failed to conduct a risk assessment at any point from 2007 until a year after the breach occurred. If the assessment was conducted, the hospital likely would have discovered that one of its firewalls had been disabled, which is what officials said was responsible for the breach.

Failed to take care while sending records

Any time sensitive patient information is moved, whether it’s electronic or in hard copy, hospital employees need to take extra care that it’s being sent to the right place. Failing to do so caused problems recently after a hospital faxed a patient’s records to the wrong number, and now another organization is in trouble for a similar mistake involving email.

This time, Dent Neurological Institute in Buffalo, NY, inadvertently sent a spreadsheet with information about 10,200 patients to a group of 200 unauthorized people. According to the hospital, an employee accidentally attached the file to a routine email that was being sent to patients.

Misplaced USB drive

A common theme among many recent healthcare data breaches: The threat of patient information falling into the wrong hands because of a lost or stolen computing device that was carried around by a doctor or other employee.

In the latest example, the University of Rochester Medical Center has notified patients of a potential breach after a doctor lost a USB flash drive, most likely when he took his clothes to the laundry. The drive contained patients’ names, date of birth, weight, telephone number, diagnosis and other sensitive information.

Fortunately, the hospital said, the drive was most likely destroyed in the laundry, but the incident shows why hospitals should make sure all information is encrypted when it’s carried on portable storage devices.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.