Lesson Learned — Healthcare Entities Must Perform HIPAA RISK ASSESSMENTS!
Recently, a Chicago-based AMG Medical Group revealed that four million patient records were breached during a burglary at their administrative office. The Park Ridge Police Department were immediately notified after the break-in, which resulted in the theft of four computers, occurred at the administrative office on July 15, 2013.
AMG launched an investigation and discovered that the four computers didn’t contain patient medical records, however, they did contain patient information including names, dates of birth, addresses and social security numbers. In addition, the computers contained limited clinical information, such as attending physicians and/or departments, medical record numbers, diagnoses, medical service codes and health insurance data.
According to Bill Barr, a development coordinator with the newly formed Medical Identity Theft Alliance (MIFA) and co-founder of the Smart Card Forum, the incident marks one of the largest health care breaches yet, with a surprisingly high number of patients whose information has been exposed.
It’s important to note that while the computers were password protected, they weren’t encrypted. Naturally, this leads many people to wonder:
- Why weren’t these four computers encrypted to protect the patient information?
- Why were four million patient records contained on desktop computers instead of being on a centralized server?
Surely if AMG had performed a HIPAA Risk Assessment these risk would have been identified. Aside from any potential HIPAA related fines from the HSS Office of Civil Rights, the cost of this breach is going to be huge. The estimated cost of a healthcare-related data breaches is approximately $240 per record! Doing the math, we find that four million breached records will cost AMG a total of $960,000,000.
The Take-Home Message: Encryption and HIPAA Risk Assessments
Should Always Be a Top Priority!
Encrypting a desktop computer costs less than $100 per year. Assuming that 100 desktop computers stored PHI (protected health information), which should be stored on a server, the cost to encrypt those 100 desktop computers would be approximately $10,000 per year. Would you rather pay $10,000 or $960,000,000? The answer is obvious, and it would have only cost $400 to encrypt these four desktops and avoid the breach expenses.
The $400 price would be a fraction of the $960,000,000 that AMG will now have to pay, not to mention the damage to their reputation that comes from a breach as severe as this.
Do you know how many patient records are currently stored in your organizations computers, and if it’s properly protected?
Where are these records stored?
Are they stored on laptops, desktops, smartphones, or any other devices?
To avoid an expensive breach, and damage to your organization’s reputation, follow these steps to provide maximum protection for PHI:
- Perform a HIPAA Risk Assessment to determine where patient information is stored and the potential risk of the a data breach.
- Encrypt each device that contains patient information, as covered above, the expense will be a lot cheaper than breach-related expenses!
- Train all of your employees on how to properly protect PHI.
It’s difficult to think of an area more private than an individual’s medical or health information. Medical records often include some of the most intimate details about a person’s life. Protecting the confidentiality of health information is essential to ensure that individuals are able to obtain quality care.