In February, Fresenius Medical Care North America agreed to complete an extensive corrective action plan and pay a $3.5 million settlement to the Office for Civil Rights (OCR) for 5 breaches the organization had in 2012. The breaches show that even the largest of organizations – Fresenius employs more than 110,000 people in 50 countries and has revenue of $17.9 billion annually – can make basic HIPAA errors.
Fresenius’ breaches were not caused by the newest malware virus or international hackers. Instead, they were the result of theft, loss and lack of encryption. “These breaches echo what I see regularly in organizations of all sizes,” said Jen Stone, a security analyst at Orem Utah’s SecurityMetrics. “They were probably caused by the lack of an organized cybersecurity program and insufficient training.”
The breaches at Fresenius occurred between February and June 2012. The first was due to a break-in at a Jacksonville, Florida, location where 2 desktop computers were stolen. One of the computers housed the electronic protected health information (ePHI) of 200 patients, including names, birthdates, and Social Security numbers.
Two months later in Alabama, an unencrypted USB storage drive was taken from an employee’s car in a parking lot. The drive was loaded with ePHI of 245 patients, including personal and insurance information.
Three more breaches – one each in Arizona, Georgia, and Illinois – all happened in June. In Arizona, an anonymous report on the organization’s compliance line claimed a desktop hard drive was missing. Protected information of 35 people was on the device. Though the staff member whose drive went missing notified their manager, the manager did not report the incident to anyone else.
In Georgia, an unencrypted laptop was stolen from a car at an employee’s home. Not only was the laptop stolen, but it was stored in a bag with a password list. This caused a breach of 10 individuals’ ePHI.
Finally, 3 desktops and a laptop were stolen from the Illinois location. One of the desktops had 31 patients’ ePHI.
Years after HIPAA and HITECH passed, health care organizations are still “woefully noncompliant,” with the measures, said Bob Chaput, founder and CEO of Clearwater Compliance. “We remain behind every other sector protecting critical infrastructure,” he said. “This is not rocket science, it’s basic hygiene. And these are simple missteps.”
Stone agrees. “When I hear of ePHI stolen from employees’ cars I have to wonder why it was there in the first place,” Stone said.
Fresenius declined an interview for this article, but Brad Puffer, director of public relations for the company, released a statement by email. He said that Fresenius takes the protection of patients’ health information very seriously.
“The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients’ health information was improperly accessed or misused,” he said. “We have, and will continue to, take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.”
On top of the financial settlement, Fresenius was required to take part in a corrective action plan that includes a risk analysis, risk management plan, improvement of policies and procedures related to devices, media and facility access, and ensuring staff are trained on those policies.
Every provider’s office should be taking these steps, Chaput said. He likens not having a risk analysis to a physician ordering an MRI and writing prescriptions for a patient before a physical examination.
“You don’t do this without understanding what the issues are,” he said. “The risk analysis is the diagnostic.”
Stone said it is critical to start with a comprehensive inventory of each device. Devices should not be categorized by their role or the team to which they belong. Instead, the person responsible for each should understand the responsibility and the sanctions that would result should he or she fail to protect the device, she said.
Fresenius was also sanctioned for not having the stolen USB encrypted. Both Stone and Chaput said it is a myth that encryption is merely optional, even though most people believe that is the case.
HIPAA says if encryption is reasonable and appropriate, it must be completed. Many providers simply deem it inappropriate for their organization or feel like the time or cost is unreasonable. But if they do so, Stone said, they must document why and implement an alternative safety measure. Most groups neither truly analyze it or implement alternative safety controls, she said.
“In almost all cases, your risk assessment will tell you encryption is both reasonable and appropriate,” she said. “In the few cases when I got pushback from IT people, they couldn’t offer an equivalent alternative measure to protect the information. I always insist on encrypted ePHI.”
Hitting the pocketbook
Settlements with OCR may be only the beginning of a company’s or practice’s financial liabilities, Chaput said. He offered as an example a 2016 negotiated settlement of $2.1 million with St. Joseph Health System in Orange County, California. Their OCR payment was followed by a $7.5 million class action lawsuit. They had to reserve $3 million for identity theft protection and $4.5 million for credit monitoring. They spent $13 million to fix the problem that caused the breach and paid $7.4 million to attorneys. The total cost for the organization was more than $37 million.
Finally, Chaput warns providers to remember that $3.5 million is a slap on the wrist. Aside from the number of records that are breached, the settlement or negotiated penalties are related to the kind of violations and length of time out of compliance. The numbers can easily reach tens of millions of dollars. He said providers have been paying, on average, a penalty of more than $6,500 per patient affected, with some as high as $193,000 per breached record.
“The Fresenius settlement amount was the tip of the iceberg” Chaput said. “OCR has not shown its full potential and wrath to this point.”