In the Data Security Game, It Can Be One Strike and You’re Out

Don Miller

bTrade previously published a data security case study about how a financial services company avoided the wrath of FTC investigators by reacting quickly to correct an error in its IT system that caused a data breach, and because the company had established and implemented “comprehensive” data security policies.  Today, MFT Nation wants to share the details of a couple regulatory proceedings where healthcare entities acted quickly following a data breach, but got hit with hefty fines because they had neither established nor implemented any data security practices.

A Teaching Hospital Gets Schooled by OCR

Lahey Hospital and Medical Center, a nonprofit teaching hospital affiliated with Tufts Medical School, agreed to pay an $850,000 fine after an investigation by U.S. Department of Health and Human Services, Office for Civil Rights, for potential HIPAA violations.  (One of OCR’s mandates is to “protect the privacy and security of health information in accordance with applicable law”).  It seems the hospital drew the ire of OCR due to its lax data security practices.

The proceeding began when the hospital notified OCR of the theft of a laptop that contained the protected health information of 599 patients.  The subsequent OCR investigation uncovered “widespread non-compliance with the HIPAA rules,” including the “failure to conduct a thorough risk analysis of all of its ePHI,” as well as the “failure to implement and maintain policies and procedures regarding the safeguarding of ePHI.”
Read more about the proceeding on the OCR website.

An Insurance Holding Company is Forced to Pay a High Premium for Lax Data Security

Triple-S Management Corporation, a Puerto Rican based insurance holding company, agreed to pay a $3.5 million fine as part of the settlement of an OCR investigation into potential violations of the HIPAA’s Privacy and Security rules.  The settlement is the second largest financial penalty ever issued as part of a HIPAA resolution agreement.

The enforcement action arose after HHS received multiple breach notifications from Triple-S regarding unsecured protected health information.  HHS then initiated investigations that indicated “widespread non-compliance” throughout the various subsidiaries of the company. OCR found that Triple-S failed to comply with some of the most basic HIPAA Privacy and Security rules, such as entering into proper business associate agreements, adhering to the minimum necessary requirement, and conducting a HIPAA Security Rule risk analysis.

Following announcement of the settlement, OCR Director Jocelyn Samuels had this to say in a prepared statement: “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

Read more about the proceeding on the OCR website.

For more information about data security news, tips and trends, follow bTrade on Twitter, @bTradeLLC.