During her 2½-year battle with cancer, actress Farrah Fawcett was convinced that someone at the UCLA Medical Center was leaking her private medical records to a supermarket tabloid. She wasn't wrong, and her plight serves as a cautionary tale to providers about the privacy rights of their patients.
Fawcett Case Served As A Preview To The Worst HIPAA Violation Fines
Unfortunately, an alarming number of healthcare providers, business associates, healthcare clearinghouses, and health plans have failed to heed the lessons of the Fawcett fiasco. In fact, since her passing in 2009, the number of U.S. healthcare data breaches (minimum 500 patients records compromised) has soared from just 18 in 2009 to an astounding 642 in 2020.
Of those 642 breaches - accounting for 29.3 million exposed patient records - 497 were attributed to healthcare providers. This is precisely what Fawcett was trying to stop.
So certain was Fawcett that her privacy rights were being violated that in 2007 she devised a successful sting operation to catch the culprit. After proving that the leak was coming from within, an internal investigation subsequently revealed that a hospital employee had been accessing Fawcett’s records more frequently than her own doctors.
But when Fawcett asked who did it, the hospital’s senior official in charge of patient privacy callously told her: “We have a responsibility to protect our employees.”
“More than your patients?” countered Fawcett.
It took four months before the hospital named the offender - an administrative specialist who, according to California health inspectors, had perused the records of more than 900 patients over a four-year period “without any legitimate reason.”
Greed, of course, is the frequent motivator for these kinds of violations, which include costly identity theft, credit card information theft or, in the Fawcett case, the sale of her medical information to a tabloid for $4,600. That was a drop in the bucket compared to $865,000 the UCLA Health System later agreed to pay for numerous privacy violations, in addition to the first of many jail sentences meted out to employees for theft of ePHI.
HIPAA Violation Fines And Compliance
The Price Of Doing Business
The UCLA penalties sounded a warning to other healthcare institutions that the Department of Health and Human Services - now armed with enforcement powers from the HITECH Act of 2009 - wasn't messing around anymore.
Violators of HIPAA privacy rules today face fines up to $250,000 per offense (and up to $1.5 million annually) and up to 10 years in jail, plus an additional 2 years for aggravated identity theft. And yet, “snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities” remains one of the most common HIPAA violations committed by individual employees, according to the HIPAA Journal.
HIPAA Privacy Rules state that access to patient health records for reasons other than treatment, payment, and healthcare operations is a violation of patient privacy. And although punishment is usually limited to the offending employee, healthcare organizations that fail to prevent snooping are not exempt from costly fines.
If snooping is the most common form of HIPAA violations among individual employees, failure to perform comprehensive risk analysis ranks among the most common violations for organizations, leaving them vulnerable to the most common form of breach: hacking.
Of the 642 breaches in 2020, 429 were related to hacking or other IT incidents, followed by 143 unauthorized access or disclosure of patient records.
The highest fine ever levied for a HIPAA violation was against Anthem, Inc., for $16 million. As an independent licensee of the Blue Cross and Blue Shield Association and one of the nation's largest health benefits companies, Anthem discovered in March 2015 that cyber-attackers had accessed their IT system and stolen the ePHI of 79 million people over a 56-day span from December 2014 to January 2015.
Among providers, no one organization rivals the size, scope or cost of the Anthem case. But when you're talking about millions of dollars and millions of affected patients, the cost is substantial. And like the Fawcett case, they all serve as cautionary tales about the importance of maintaining patient privacy.
Top 20 HIPAA Violation Fines For Providers
1. $5.55 million
Advocate Health Care: Investigation into one of the nation's largest health systems began in 2013 as a result of three separate breaches involving an AHC subsidiary that affected 4,029,530 patients. The first breach occurred in July 2013 when four laptop computers were stolen from Advocate's administrative offices in Park Ridge, Illinois. The second occurred when AHC failed to get assurances from a business associate that the ePHI of 2,029 patients would be safeguarded prior to disclosure. And the third occurred when a laptop with 2,237 ePHI records was stolen during the night from an unlocked vehicle.
2. $5.5 million
Memorial HC System: First, MHS reported that two employees had stolen and sold ePHI. That led to an internal investigation that revealed 12 more employees at its affiliated physician offices had used the login of a former employee to impermissibly access ePHI on a daily basis for 13 months between 2011 and 2012. In all, the ePHI of 115,143 individuals had been compromised. Several risk assessments between 2007 and 2012 had identified the risk, but MHS had never acted on it.
3. $4.8 million
NY Presbyterian Hospital and Columbia University Medical Center: The offense occurred in September 2010 when a physician employed by the university was attempting to deactivate a personally owned computer. Because the computer lacked technical safeguards, the ePHI of 6,800 patients was compromised. And because the data was stored on a shared data network, the two organizations shared responsibility for the violation.
4. $4.3 million
Cignet Health of St. George County: Between September 2008 and October 2009, Cignet denied 41 patients access to their medical records in violation of their patient rights. During the investigation, Cignet refused to cooperate or comply with the Office of Civil Rights' demands to produce the records and made no effort to resolve the complaints through informal means. This marked the first time HHS had imposed a civil money penalty for a HIPAA violation.
5. $3.9 million
Feinstein Institute for Medical Research: In September 2012, an unencrypted laptop computer containing the ePHI of about 13,000 patients and research participants was stolen from the back seat of an employee's car. Violations included inaccurate and incomplete risk analysis, in addition to lack of policies and procedures governing the removal of equipment used to store ePHI from it facilities, among several other violations.
6. $3.217 million
Children’s Medical Center of Dallas: Twice, they had security gap analysis performed between 2006 and 2008. Twice, it was recommended they encrypt portable devices such as laptops, workstations, mobile devices and portable storage devices. And twice, they ignored that advice, despite one recommendation that it be given "high priority." The subsequent loss of an unencrypted Blackberry, unencrypted iPod and theft of an unencrypted laptop exposed the ePHI of 6,284 patients between 2010 and 2013.
7. $3 million
Cottage Health: Two breaches compromised the unsecured ePHI of 62,500 patients at the California-based facilities. In December 2013, it was determined that server data could be accessed without a username or password. In December 2015, unsecured ePHI was exposed to the Internet after a server was misconfigured by IT staff in response to a troubleshooting ticket. Cottage Health was cited for lack of risk assessment and security measures.
7. $3 million
University of Rochester Medical Center: In 2013, an unencrypted flash drive with an undetermined number of PHI records was lost. In 2017, an unencrypted personal laptop belonging to a resident surgeon and containing the PHI of 43 patients was stolen from a treatment facility. All of this could have been avoided if URMC had acted on its own findings after an unencrypted flash drive was lost in 2010. Instead, URMC permitted the continued use of unencrypted mobile devices.
9. $2.75 million
University of Mississippi Medical Center: As early as April 2005, UMMC was aware of risks and vulnerabilities to its system. Still, it did nothing until a visitor apparently stole an unencrypted, password-protected laptop that contained the PHI of 500 patients from UMMC's Medical Intensive Care Unit in March 2013. Worse, a subsequent investigation revealed that UMMC hadn't protected its wireless network from external access - that 67,000 files and the ePHI of 10,000 patients could be accessed from that network using a generic username and password.
10. $2.7 million
Oregon Health & Science University: Two data breaches in 2013 exposed the ePHI of more than 7,000 patients. An unencrypted laptop computer containing the PHI of 4,022 patients was stolen from the Hawaiian vacation apartment of an OHSU provider. Three months later, the PHI of 3,044 patients was compromised by two physicians sharing a spreadsheet with patient data via a cloud storage service. In violation of HIPAA rules, no business associate agreement had been obtained prior to the service being used.
Second 10: The Price Of Protecting Privacy Rights
11. $2.4 million: Memorial Hermann Health - Administrators disclosed to police the name of a patient who'd presented a fraudulent ID card to staff; that's allowed. But then MHH identified the patient in a press release; that's not allowed.
12. $2.3 million: 21st Century Oncology - Failure of risk assessment and protocols enabled a hacker to steal the ePHI of more than 2.2 million patients
13. $2.2 million: New York Presbyterian Hospital - Allowed without prior authorization the filming of two patients for the ABC series "NY Med" in 2011.
14. $2.175 million: Sentara Hospitals - Mailed PHI of 577 patients to the wrong addresses. SH incorrectly argued that no violation had been committed because the PHI included no patient diagnosis, treatment info or other medical info. They lost.
15. $2.16 million: Jackson Health Systems - Multiple violations include the loss of 680 paper PHI records in 2012; the loss of 756 paper PHI records in 2013; a social media post of photo identifying the PHI of two patients (including a prominent NFL player) in 2015; and an employee who had accessed and sold the PHI of 24,188 patients over a five-year period beginning in 2011.
16. $2.14 million: St. Joseph Health - Files with ePHI were created under Meaningful Use Program, then left unprotected and accessible on the Internet for 12 months beginning in February 2011; ePHI of 31,800 patients were exposed and indexed by Google.
17. $1.7 million: Alaska Department of Health and Social Services - Theft of a portable hard drive from the vehicle of a DHSS computer technician in October 2009 potentially compromised the ePHI of about 500 individuals.
18. $1.6 million: Texas HHS Commission - A flawed software code allowed the ePHI of 6,617 patients to be viewed over the Internet during the transfer of an internal application from a private, secure server to a public server.
19. $1.55 million: North Memorial HC of Minnesota - Nailed for lack of a signed agreement with a business associate that had been given access to NMHC databases. Problem surfaced when an unencrypted laptop with the ePHI of 9,497 NMHC clients was stolen from a vehicle owned by an employee of the business associate.
20. $1.5 million: Athens Orthopedic Clinic PA - A hacker used a vendor's credentials to access the ePHI of 208,557 patients for more than a month during the summer of 2016, then demanded money for the return of the PHI records. AOC was cited for failures in risk assessment and risk management that could have prevented the hacker's access.
No More Fines; Off The List
In 2018, the University of Texas M.D. Anderson Cancer Center was fined $4.38 million after two unencrypted flash devices were lost and an unencrypted laptop was stolen between 2012 and 2013. Altogether, the ePHI of 34,883 patients were compromised. The fine was overturned on appeal in January 2021, knocking M.D. Anderson out of the No. 4 position on this list.
With that in mind, this list is as complete as it can be, but is subject to corrections and changes as violations and fines continue to escalate at record annual rates.
When It Comes To HIPAA compliance, better to act than react
In a way, it seems almost wrong that you should have to pay, for example, when a hacker steals patient data from your system, yet YOU are the one paying the fine. Keep in mind, however, that HIPAA regulations exist to protect of patient privacy rights - and to protect healthcare providers, practices and institutions from themselves.
Yes, these fines are substantial. However, they represent but a fraction of the overall cost often incurred by violators. The bigger cost often comes in the form of civil lawsuits (consider the nearly 80 million patients whose PHI has been exposed since 2009), attorney fees, security upgrades, and restoration of significantly tarnished reputations.
Everything considered, it's better to be proactive than reactive when it comes to HIPAA regulations.
Part of that proactive approach includes:
Accurate and thorough risk assessments to identify potential risks and vulnerabilities
Implementation of a risk management plan to address those risks and vulnerabilities
Implementation of an EHR software with security standards that fully align with and support a HIPPA-compliant ecosystem
For a closer look at how EHR software from InSync Healthcare Solutions can support your efforts to become more HIPAA-compliant, schedule a demo with one of our experts who'd be happy to field any questions you might have.