Another month, another HIPAA breach. On October 2, 2013, UnityPoint Health, a large network of hospitals and clinics in Iowa and Illinois, announced that it had discovered a breach of its electronic medical records system and alerted the FBI. The breach, in which a contractor gained access to the system over the course of several months by using colleagues’ passwords, may have put at risk personal information of approximately 1,800 patients (including names, dates of birth, treatment information, insurance account numbers, and, for certain patients, Social Security and drivers license numbers). While there are always many lessons from such incidents, two lessons are especially notable.
First, the vulnerability of electronic medical records is apparent. The use of false login information/credentials, as was the case in this and other recent incidents, can allow a single individual (in this case, a contractor employed by a third party) to gain access to a multitude of medical records inside an electronic system, such as the 1,800 records in this case. This increases the potential harm associated with a breach as well as the likelihood of triggering HIPAA’s requirement to notify the federal government and the media in the event of a breach of unsecured protected health information involving more than 500 residents of a state or jurisdiction.
Second, UnityPoint Health discovered its breach in the course of a routine internal audit, in which it detected a pattern of unusual access to patient data. UnityPoint Health was then able to identify the individual involved, gain information about the access obtained, and take measures to limit further unauthorized access and other responsive actions, including resetting passwords, notifying patients, the government, and the media, setting up a call center, offering credit monitoring services, and training personnel on safeguarding their passwords. Were it not for the audit conducted, the number of improperly accessed records may have climbed to even higher levels. This experience demonstrates that routine internal audits are an important measure for entities subject to HIPAA to identify and control breaches that may occur.
For additional information about HIPAA enforcement topics, see Cooley’s HIPAA Privacy and Security Enforcement Tracking Chart, as described in this blog post.