Lost USB Memory Drive Leads to $150,000 HIPAA Settlement for Small Dermatology Practice
On October 7th, 2011, Adult & Pediatric Dermatology, P.C. (APDerm), a Concord, Massachusetts-based private practice with six offices in Massachusetts and New Hampshire, notified the Department of Health and Human Services (HHS) of a stolen unencrypted USB memory drive containing protected health information (PHI). APDerm’s notification followed the September 14th theft, from an employee’s vehicle, of a computer bag containing the USB device. To date, APDerm maintains that there is no evidence that the PHI contained on the yet-unrecovered USB device was accessed or disclosed by an unauthorized person.
On December 26th, 2013, HHS announced a $150,000 dollar settlement with APDerm for alleged HIPAA violations discovered during an investigation following the reported breach. The proposed settlement also includes an aggressive corrective action plan (CAP) to bring APDerm into compliance with HIPAA’s privacy and security regulations.
What Was the Nature of the Information and How Many Individuals Were Affected?
Approximately 2200 individuals’ unsecured PHI was stored on the USB device. This included digital images of surgical skin cancer procedures and related reports. APDerm claimed in a published statement that no patient addresses, Social Security numbers, insurance or other financial information was stored on the USB device.
What Was Done to Mitigate/Remediate?
APDerm notified victims by post in early October 2011 and alerted nearby media outlets of the breach (under the Breach Notification Rule, breaches of PHI affecting over 500 individuals obliges healthcare providers to alert prominent media outlets serving the state or jurisdiction of the victims). APDerm reported the breach to HHS concurrent with its notification to victims.
Once the breach was made public, APDerm’s Chief Operating Officer indicated that the practice took “some additional steps to further improve our security of patient data,” though no details were provided as to what those steps entailed.
What Factors Contributed to the Settlement?
Aside from the fact that APDerm improperly stored unsecured PHI on a USB drive that was subsequently stolen, HHS noted in its post-breach investigation that additional HIPAA compliance deficiencies contributed to the cash settlement and CAP imposed on APDerm:
- APDerm did not conduct an accurate and thorough data privacy and security risk analysis prior to the PHI breach and then waited a year post-breach to conduct a risk analysis.
- APDerm did not draft written breach notification policies and procedures or appropriately train employees until over a year post-breach.
What Can Your Organization Do to Avoid a Similar Outcome?
- Conduct a review of the types of portable devices (USB drives, external hard drives, laptops, tablets, smartphones, etc) you use to store PHI. Are these devices properly encrypted? If not, are the files encrypted?
- Ensure documented policies and procedures are in place, being followed and reflect actual practices.
- Make certain to regularly train your workforce on all relevant HIPAA compliance topics.
- Regularly review your organization’s portable devices to ensure encryption is installed and operational.
- Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities and controls have been considered.
What Resources Are Available to You?
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.