No health care organization is immune to a data breach. Health care data breach notifications have been on the rise since the Office for Civil Rights began collecting them, and this year has even seen reports of breaches from HIPAA auditors.
The latest health care data breach to make headlines — Stanford Hospital’s report that data on 20,000 emergency room patients had been posted to a public website for nearly a year — only reinforces the notion that no one is immune to risk. It also highlights the importance of knowing what your business associates are doing with your health care data.
According to the New York Times article, Stanford’s breach was caused by a billing contractor identified as Multi-Specialty Collection Services, who created a spreadsheet as part of a billing-and-payment analysis for the hospital. It is not clear who posted the spreadsheet to a commercial homework review website, where it remained publicly available for almost a year before a patient reported the breach to Stanford Hospital on August 22. The spreadsheet was promptly removed from the site by administrators. The hospital immediately suspended its relationship with the contractor and requested assurance that the file would be returned or destroyed immediately.
One month earlier, Beth Israel Deaconess Medical Center posted a breach notification to its website, reporting “a potential breach of protected health information as a result of the failure of a vendor to restore security controls following routine maintenance.” The vendor’s error left a BIDMC computer vulnerable to a virus, causing it to transmit data to an unknown location.
With hundreds — or even thousands — of business associates at play in health care, it’s not surprising that so many breaches are happening. A recent survey shows that data breach sufferers are in good company: Over 70% of survey respondents claimed to have had a breach of protected health information in the last year.
That’s a pretty big percentage. To help minimize the risk of a data breach, health care providers should consider reviewing and updating their HIPAA business associate agreements (BAAs) to ensure that business associates have patient-data protections in place. Don’t let your business associates put your organization’s name in the headlines as the next perpetrator of a health care data breach.