MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

  • Latest News
  • Cardiovascular
  • Orthopedics
  • Wall Street Beat
    • Funding Roundup
    • Mergers & Acquisitions
  • Podcasts
    • MPR: Breakthrough Products Series
  • Resources
    • About MassDevice
    • Newsletter Signup
    • Job Board
    • Leadership in Medtech
    • Manufacturer Search
    • Videos
    • Whitepapers
  • DeviceTalks
You are here: Home / News Well / Fines remain rare even as health data breaches multiply

Fines remain rare even as health data breaches multiply

February 27, 2015 By MassDevice Leave a Comment

Fines remain rare even as health data breaches multiply
(David Sleight/ProPublica)

by Charles Ornstein, ProPublica

This story was co-published with NPR’s Shots blog.

In a string of meetings and press releases, the federal government’s health watchdogs have delivered a stern message: They are cracking down on insurers, hospitals and doctors offices that don’t adequately protect the security and privacy of medical records.

“We’ve now moved into an area of more assertive enforcement,” Leon Rodriguez, then-director of the U.S. Department of Health and Human Services’ Office of Civil Rights,warned at a privacy and security forum in December 2012.

But as breaches of patient records proliferate – just this month, insurer Anthem revealed a hack that exposed information for nearly 80 million people – federal overseers have seldom penalized the health care organizations responsible for safeguarding this data, a ProPublica review shows.

Over 1,100 Health Data Breaches, but Few Fines

Since October 2009, health care organizations and their business partners reported 1,142 large-scale data breaches, each affecting at least 500 people, to the U.S. Department of Health and Human Services. Of those, seven breaches have resulted in fines. Explore the app

Fines remain rare even as health data breaches multiply
(Sisi Wei and Charles Ornstein, ProPublica)

Since October 2009, health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office of Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people.

In some cases, records were on laptops stolen from homes or cars. In others, records were targeted by hackers. Sometimes, paper records were forgotten on trains or otherwise left unattended.

Yet, over that time span, the Office of Civil Rights has fined health care organizations just 22 times.

By comparison, the California Department of Public Health, which also levies fines against hospitals for breaches of patient privacy, imposed 22 penalties last year alone — and another eight in the first two months of this year.

The federal Office of Civil Rights has clear authority to audit health care organizations to ensure they are protecting patient records, as well as to impose huge fines — up to $1.5 million per violation. Yet experts on protecting health data have noted with chagrin how rarely the agency uses its power.

“It’s disappointing and underwhelming,” said Bob Chaput, founder and chief executive of Clearwater Compliance, which helps health care organizations create programs to protect sensitive information. “They’re not doing as much as they could or should.”

The Office of Civil Rights declined an interview request from ProPublica, but said in a statement that it “aggressively” identifies and investigates “high-impact cases that send strong enforcement messages about important compliance issues.” The agency looks into all large data breaches, a spokeswoman wrote in an email, and the cases resulting in financial penalties “have involved systemic and/or long-standing” concerns.

The agency’s stiffest sanction to date came last May, when it hit New York-Presbyterian Hospital and Columbia University with fines totaling $4.8 million for failing to secure the electronic health records of 6,800 people. A physician had tried to remove his personal computer server from a shared network, causing patient records, including patient status, vital signs, medications and lab results, to be found on Web search engines. The problem surfaced when a person found a deceased partner’s personal health information online.

The federal government has played a growing role in health privacy and security since the passage of the Health Insurance Portability and Accountability Act, or HIPAA, in 1996. The law mandated standards for the use and dissemination of health care information and for how organizations protect electronic medical records.

In 2009, the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, went a step further. It required that organizations publicly report breaches involving at least 500 patients, increased how much HHS could fine organizations that violate patient privacy and record security, mandated that HHS conduct audits, and extended the rules to third parties that work with health care organizations.

But since then, even HHS’ inspector general has been critical of the way in which the Office of Civil Rights has used its authority. In November 2013, the inspector general faulted the agency for not performing audits mandated by the HITECH Act.

A first, pilot set of audits, conducted in 2011 and 2012, showed that 102 of the 115 organizations reviewed had at least some problems with security or weren’t following rules to safeguard patient privacy. A larger follow-up round of audits is only now getting underway, experts say.

Consultants and experts in the field say the civil rights office has not fully explained the delays. Rodriguez, its former director, left last summer to head the U.S. Citizenship and Immigration Services. A new director has since taken the reins.

Some industry veterans say the Office of Civil Rights is trying to strike a balance between working with organizations to improve their security and punishing truly egregious lapses. Health providers often agree to make voluntary changes even if they’re not fined, the agency has said.

“We’ve come a long way since HIPAA first came out,” said Angela Rose, director of health information management practice excellence at the American Health Information Management Association, an industry trade group. “In the coming years, it will get better. It will get more strict.”

“What you don’t want [the Office of Civil Rights] to become is somebody like your parking enforcement where they’re funding themselves by issuing tickets or fines to everybody who has the smallest infractions,” said Joy Pritts, who until last year served as chief privacy officer for the federal Office of the National Coordinator for Health Information Technology.

Fines remain rare even as health data breaches multiply

Data security experts also say the Office of Civil Rights simply does not have the resources to handle its oversight responsibilities. While it can keep whatever fines it imposes to use for enforcement, it has fewer than 200 employees and a budget of just $39 million. Its duties, by comparison, are vast: Each year, it handles over 4,000 discrimination complaints, reviews 2,500 Medicare provider applicants to see if they are complying with federal civil rights requirements, and resolves more than 15,000 complaints of alleged HIPAA violations. The president is seeking a budget increase for the agency next year.

“They’re swamped,” said Dan Berger, chief executive of Redspin, an IT security company that issues an annual report on trends in large data breaches.

The number of large data breaches continues to increase. Last year, 278 were reported, according to federal data, up from under 200 per year from 2010 to 2012. Since the Office of Civil Rights reviews all of them, as well as some smaller ones and other complaints, years can pass before cases are closed.

It took five years, for instance, for the office to impose an $800,000 fine against Parkview Health System for an incident in which 71 cardboard boxes of medical records for 5,000 to 8,000 patients were left unattended in the driveway of a physician’s home. That incident was not reported as a large data breach but instead came in as a complaint from the physician.

“I think the office is overwhelmed with the volume that’s coming in and that’s in part leading to long delays in resolving some of these cases,” said Adam Greene, a partner at Davis Wright Tremaine, a law firm in Washington D.C., and a former OCR official.

Some organizations currently under review by HHS say they don’t know the status of their cases. In 2012, the state of Utah disclosed that hackers gained access to a server that stores data on Medicaid and children’s health insurance claims. Social Security numbers of 280,000 people and less-sensitive information on 500,000 others were accessed.

Since then, the state health department has had three official interactions with the Office of Civil Rights, the last coming in May 2014. “It’s hard to tell where we are in the process,” said Tom Hudachko, an agency spokesman. “We thought there would have been resolution by this point.”

Utah’s Department of Technology Services, which handles all tech needs for the state, has increased security since the breach, hiring a new chief information security officer, received additional funding from the legislature, increased network monitoring to 24 hours a day, and arranged for an outside security assessment every two years.

The Montana Department of Public Health and Human Services, which reported a hacking incident last year that affected more than 1 million people, also said HHS’ investigation is ongoing.

Some security experts say that the government needs to use its authority to impose fines to send a message. Bruce Schneier, a computer security expert and blogger, compared the situation to environmental pollution.

“If the cost of polluting is zero, companies will pollute. How would a rational company not do that?” he said. “If your CEO said we’re going to spend four times as much money not to pollute, he would be fired. What you need is to make security rational.”

Help us investigate patient privacy by sharing your story. Also read our story about how a real-life medical show filmed a man’s death without his permission.

Like this story? Sign up for our daily newsletter to get more of our best work.

Filed Under: News Well Tagged With: ProPublica

In case you missed it

  • Caresyntax to acquire Syus; raises $45.6m
  • Nihon Kohden launches new patient monitor
  • Senate confirms Dr. Stephen Hahn to lead FDA
  • Iradimed renews CE mark for MRI-safe patient monitor
  • Flexicare recalls fiber optic laryngoscope blades and handles
  • 3M to sell drug-delivery biz to Altaris Capital Partners for $650m
  • TransEnterix announces reverse split of common stock
  • GI Windows raises $15m Series A
  • ImpediMed lands expanded 510(k) clearance for Sozo
  • Haemonetics opens new Boston headquarters
  • Employees say Intuitive Surgical, J&J, Stryker best places to work in 2020
  • Eitan Group signs service agreement with Integrated Medical Systems
  • Beta Bionics’ bionic pancreas wins breakthrough status from FDA
  • Sanofi backs away from diabetes partnership with Verily
  • FDA clears Cochlear piezoelectric hearing implant
  • Biolase lands 510(k) for dental hygiene laser
  • Mayo Clinic, W.L. Gore team up on stem cell therapy treatments

RSS From Medical Design & Outsourcing

  • RSNA 2019: 7 radiology innovations you need to know
    Nearly 53,000 people attended the 2019 Radiological Society of North America annual meeting in Chicago last week. And they heard the same acronym over and over again: AI. Exhibitors at the conference touted their artificial-intelligence-enhanced technology at every turn, claiming to make images clearer, sharper, easier to use and powerful enough to help clinicians make… […]
  • Employees say Intuitive Surgical, J&J, Stryker best places to work in 2020
    Intuitive Surgical (NSDQ:ISRG), Johnson & Johnson (NYSE:JNJ) and Stryker (NYSE:SYK) were recently named as Glassdoor’s employees’s choice of Best Places to Work in 2020. Each year, Glassdoor uses feedback that employees have shared on the website over the past year to compile a list of the best places to work in 2020. Employee reviews provide Glassdoor with insights into job and… […]
  • Biolase lands 510(k) for dental hygiene laser
    Biolase (NSDQ:BIOL) this week announced it has received FDA 510(k) clearance for its Epic Hygiene dental laser. The laser system allows dental hygienists to manage non-surgical periodontitis and increase clinical production. It offers a step-by-step clinical protocol with pocket therapy and perio debridement for easy implementation. Get the full story on our sister site, MassDevice. The […]
  • Mayo Clinic, W.L. Gore team up on stem cell therapy treatments
    Mayo Clinic and W. L. Gore & Associates have announced a partnership to develop implantable cell therapies to treat debilitating conditions with no cure. The for-profit company, Avobis Bio, will combine a patient’s own stem cells with bioabsorbable scaffolds to stimulate the healing of perianal fistulas, painful tunneling wounds that affect patients with Crohn’s disease.… […]
  • Toray Industries touts polymer optical fiber
    Toray Industries said today that its Raytela polymer optical fiber provides for high-quality imaging in the minimally invasive medical device market. Raytela can negotiate tight 9mm radius bends, making it useful for devices used in endoscopy, uretroscopy, ophthalmic surgery and other procedures that require smaller devices that can navigate more tortuous paths than previously available,… […]
  • Report: EtO blood levels higher in Illinois neighbors of Medline sterilization plant
    This article has been updated with comments from Medline Industries. People who live about a mile away from a Medline device sterilization plant in Waukegan, Ill. have blood levels of the cancer-causing gas ethylene oxide that are about 50% higher than those who live farther away, according to a report by WebMD and Georgia Health… […]
  • Glooko gains ISO certification for California, Sweden sites
    Diabetes software company Glooko announced today that its Mountain View, Calif., and Gothenburg, Sweden, sites have received joint ISO 13485:2016 certification from accredited certification body Intertek Testing Services. ISO 13485 describes the requirements for comprehensive practices and procedures for the design, development, production and delivery of medical devices, including digital health software. To become ISO… […]
  • FDA details framework for abbreviated 510(k) medical device review pathway
    By Stewart Eisenhart, Emergo Group The US Food and Drug Administration has published a high-level framework for its Safety and Performance Based Pathway, an expedited 510(k) premarket review process for qualifying medical devices announced earlier in 2019. Get the full story here at the Emergo Group’s blog. The opinions expressed in this blog post are… […]
  • Drug or device? FDA loses this argument for now
    This article has been updated with comments from an attorney for Genus Medical Technologies. A federal judge has temporarily blocked an attempt by the FDA to regulate a barium sulfate product ingested before imaging as a drug. The decision counts as at least a partial win for Genus Medical Technologies (St. Louis), maker of the… […]
  • Greenlight Guru updates change management capabilities of QMS
    Greenlight Guru said today that it has added updates to the change management capabilities 
of its medical device quality management system (MDQMS). The update was designed to improve traceability and efficiency associated with product and process changes, according to the Indianapolis-based company. It includes advanced workflow efficiencies to identify, assess and track the items affected… […]
  • Medical device excise tax would reduce R&D spending, report says
    The medical device excise tax will reduce research and development spending and impede innovation if reinstated in 2020, according to a report from Minnesota trade group Medical Alley Association. In the report, Medical Alley surveyed its members that will be affected by the return of the tax on Jan. 1, 2020. About 83% of survey respondents… […]

Leave a Reply Cancel reply

You must be logged in to post a comment.

Need Medtech news in a minute?
We Deliver!

MassDevice Enewsletters get you caught up on all the mission critical news you need in med tech. Sign up today.

Popular Posts

  • Report: SEC probes GE Healthcare, Philips, Siemens in Chinese bribery scheme
  • Edwards Lifesciences warns against below-market mini-tender offer Edwards Lifesciences
  • J&J’s Ethicon files ITC complaint against Intuitive Surgical Intuitive Surgical's EndoWrist instruments
  • Auris Health loses motion to move Intuitive Surgical patent suit from Del. to Cali. Johnson & Johnson's Auris, Intuitive Surgical
  • Enable Injections inks deal with Sanofi for drug delivery platform enfuse-enable-injections
Tweets by @MassDevice
MDO ad

MASSDEVICE MEDICAL NETWORK

DeviceTalks
Drug Delivery Business News
Medical Design & Outsourcing
Medical Tubing + Extrusion

MASSDEVICE

Subscribe to MassDevice
Advertise with us
About
Contact us
Add us on FacebookMassDevice Network
Follow us on Twitter@MassDevice
Connect with us on LinkedInLinkedIn
Follow us on YouTube YouTube

Copyright © 2019 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Advertise | Privacy Policy | RSS