Cybersecurity and HIPPA
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
In the Meadow, occasionally our residents have health issues. When we do, naturally we make the doctor’s appointment. It appears as though a medical business in Florida has had a recent issue with HIPAA. Advanced Care Hospitalists (ACH) was founded in 2005 and is located in Lakeland, FL. The business operates as a physician’s contractor group. They provide internal medicine doctors to hospitals and nursing homes located in West Florida. ACH provides services to over 20,000 patients annually and employed 39-46 persons during the affected time frame. Clearly, the business handles client medical records and has to comply with HIPAA.
Issue From November 2011 to June 2012, ACH obtained billing services from an individual. This person claimed to be a representative of Doctor’s First Choice Billings, Inc. This firm is also a medical billing services provider, also happened to be located in Florida. By all appearances, the person was involved with First Choice, and used the business name and website. The problem is First Choice was not aware of the person. The business did not authorize the person to use the business name or website. The underlying question is, how did ACH contract with the unauthorized person and not notice anything was wrong. As a general rule of thumb, a business would investigate and research another business before allowing them to become a vendor.
Data The patient data exposed included their name, date of birth, social security number, and clinical data. This is a rather useful set of data. The attackers could, in theory, take over the patient’s identity, or sell the data on the dark web. The affected patients now have the opportunity to monitor their personal credit for over a decade.
Red Flag On February 11, 2014 ACH received an unusual communication. A local hospital found a portion of their patient’s data accessible on the First Choice website. This just happened to be unauthorized.
Reporting The data breach report was submitted to the US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) in April 2014 by ACH. The official cause for this was the disclosure of the patient’s protected health information (PHI). The initial report noted 400 patients were affected by the compromise. This was later updated to 9,255 patients. ACH did not follow the HIPAA rules or implement portions of HIPAA as it relates to this specific case prior to April 2, 2014. This also noted the business did not implement prudent security controls, did not perform a risk analysis prior to March 4, 2014, and did not sign a BAA (business associate agreement) with the person not associated with First Choice.
Fine For all of these missteps or failures, ACH paid a fine or penalty of $500,000. ACH also agreed with a plan to correct the issues. Part of this plan is to complete a risk analysis within 120 days, evaluate security risks and vulnerabilities, and inventory all electronic equipment, data systems, and apps which contain or store ePHI. Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Davis, J. (2018, December 4). OCR fines florida physicians group $500,000 for hipaa failure. Retrieved from https://healthitsecurity.com/news/ocr-fines-florida-physicians-group-500000-for-hipaa-failures
Dissent. (2018, December 4). Florida contractor physicians’ group settles HHS claims after they failed to have a BA agreement in place with a vendor who had a breach. Retrieved from https://www.databreaches.net/florida-contractor-physicians-group-settles-hhs-claims-after-they-failed-to-have-a-ba-agreement-in-place-with-a-vendor-who-had-a-breach/
HHS. (2018, December 4). Florida contractor physician’s group shares protected health information with unknown vendor without a business associate agreement. Retrieved from https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html
The HIPAA Guide. (2018, December 4). Advanced care hospitals pays $500,000 to settle multiple HIPAA violations. Retrieved from https://www.hipaa.guide.net/advanced-care-hospitalists-pays-500000-for-multiple-hipaa-compliance-violations/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.