Blog

Breach of outpatient surgery records raises red flag - Axis In The News

Axis Technology's Joe Santangelo, data & security expert, weighs-in on medical record data breaches:

Axis Technology's Joe Santangelo, data & security expert, weighs-in on medical record data breaches: Breach of outpatient surgery records raises red flag - Know and protect your data AHC Newsletters Via Acquire Media NewsEdge Breach of outpatient surgery records raises red flag Know and protect your data Cyber attacks. Data thefts. System breaches. They're all on the rise, and healthcare is the no. 1 field at risk, according to a just-released Internet Security Threat Report 2011 Trends from Symantec Corp. 1 Consider these recent examples from the outpatient surgery field: • Earlier in 2012, St. Elizabeth's Medical Center in Boston notified almost 7,000 patients that their billing information, including credit card numbers and security codes, might have been compromised. 2 The documents were removed by a vendor from a building that was about to be demolished and were to be shredded. A few days later, an individual reported finding cashier's receipts for credit card payments made by five patients, including some from the hospital's surgery center, blowing through a field in another neighborhood. The receipts included patients' names, hospital account numbers, credit card numbers, security codes, and expiration dates. ... • Also earlier this year, Emory Healthcare in Atlanta found that 10 backup discs containing information on surgical patients were missing from a storage location at one of its hospitals. The information on the discs was from about 315,000 surgical patients treated at one surgery center and two of its hospitals. The discs contained patient names, dates of surgery, diagnoses, procedure codes or the name of the surgical procedures, device implant information, surgeons' names, and anesthesiologists' names. About 228,000 of the patient records included Social Security numbers. All affected patients were provided identity protection services, including credit monitoring, and access to a toll-free hotline for questions. Any patient who discovers identity theft or fraud issues within one year is provided an investigator to help them restore their identity. (For more information, view Emory Healthcare's "Notice to Our Patients" atwww.emoryhealthcare.org/protection.) Emory leaders acknowledge that the discs had not been stored according to the facility's protocol, according to a published report. 3 The discs were in an office cabinet that was not locked at night, although it was on a restricted hallway, the media report said. The information on the discs was associated with an outdated system and, thus, was not encrypted. Additionally, in 2011, bills of 32 patients at Emory's orthopedic clinic were stolen, and information was used to file fraudulent tax returns in the names of nine of those patients, the media report said. Stolen patient data can put an outpatient surgery program into legal problems fast. "In addition to HIPAA, there are several states that have pertinent laws, says Joe Santangelo, MS, principal consultant at New York City-based Axis Technology, which provides data security services. What would it cost you? Maybe millions And then there's the cost. Emory estimates that this latest incident cost the healthcare system between $1.5 and $2 million. There were no fines. "If you are found to have a breach, it can be a very costly and potentially debilitating affair," Santangelo says. He points to a recent example of a small surgery center with 5 physicians that was fined $100,000 by the Office of Civil Rights (OCR) for failing to protect patient information. 4 "The investigation found that the practice failed to implement adequate policies and procedures to protect patient information, did not document that it provided HIPAA training to employees, failed to conduct risk analysis, and failed to obtain proper agreements from business associates," Santangelo says. (To see the resolution agreement, go tohttp://1.usa.gov/IlVjXX.) He points out that in addition to the costs of notifying patients, investigating and controlling the breach, and potential litigation and fines, there are intangible costs such as damage to your brand, loss of customers, decline in practice value, and reputation management. "Thus providing proper security of patient information is actually a cost-effective practice, when looked at in terms of the cost of a breach," Santangelo says. To read the full article, click here